Palo Alto GlobalProtect CVE-2026-0257 Actively Exploited

Palo Alto Networks' PAN-OS, specifically its GlobalProtect VPN gateways, has a critical authentication bypass vulnerability, CVE-2026-0257. This flaw allows unauthenticated remote attackers to gain unauthorized access to enterprise networks, circumventing security perimeters. Active exploitation of CVE-2026-0257 has been confirmed, leading to its inclusion in the CISA Known Exploited Vulnerabilities catalog on May 29, 2026.

The vulnerability stems from an insecure authentication token validation process within the GlobalProtect feature. A critical signature verification step is omitted after token decryption. Threat actors are using this defect to forge valid session cookies, bypassing normal authentication and gaining unauthorized access. Attacks have been observed in multiple waves, with initial signs dating back to May 17, 2026, and continuing with a secondary wave on May 21st.

Organizations using affected Palo Alto Networks PAN-OS configurations should prioritize immediate patching or apply vendor-supplied mitigation steps. Failure to address CVE-2026-0257 can result in severe compromise, including full internal network access, as observed in active campaigns.

What is CVE-2026-0257 and why is it critical?

CVE-2026-0257 is an authentication bypass vulnerability affecting Palo Alto Networks PAN-OS appliances when configured with specific GlobalProtect VPN settings. It is critical because it permits unauthenticated remote attackers to bypass the authentication process, leading directly to unauthorized access to an organization's internal network resources. Its active exploitation makes it an immediate threat to any vulnerable environment.

The flaw allows an adversary to assume an authenticated state without providing legitimate credentials, nullifying a primary security control. This direct circumvention of authentication mechanisms is a severe security defect; it undercuts the principle of verifying user identity before granting network access. Such vulnerabilities often enable attackers to establish a foothold for lateral movement, data exfiltration, deploying additional malicious payloads, or maintaining persistent access within the compromised network. The observed exploitation, including successful acquisition of VPN IP assignments and subsequent internal network access, shows the risk CVE-2026-0257 poses to corporate environments globally.

Impact

An attacker successfully exploiting CVE-2026-0257 can achieve a total authentication bypass on vulnerable Palo Alto Networks PAN-OS GlobalProtect VPN Gateways. This allows unauthorized access to enterprise perimeter networks, nullifying the security posture provided by the VPN. The direct consequence is that threat actors can establish an authenticated session, granting them a foothold within the corporate network.

The real-world reach of this vulnerability is broad. Observed exploitation campaigns have demonstrated that attackers can obtain full internal network access after successfully receiving a VPN IP assignment through this bypass. This level of access can lead to severe compromises, including unauthorized access to sensitive data, deployment of malware, lateral movement within the network, and establishment of persistent access. Organizations that rely on GlobalProtect for secure remote access and have configurations vulnerable to CVE-2026-0257 are at immediate risk of network intrusion and internal system compromise. This type of authentication bypass, where cryptographic weaknesses allow for forged credentials, is similar to other critical vulnerabilities, such as the FortiOS authentication bypass that has also seen active exploitation.

Exploitation chain

Exploitation of CVE-2026-0257 by threat actors relies on a specific configuration and a critical validation flaw within the Palo Alto Networks PAN-OS GlobalProtect authentication override mechanism. The attack vector is remote and unauthenticated, targeting the server-side processing of authentication tokens.

The vulnerability's technical foundation lies within a specialized access feature designed to simplify the user login experience for GlobalProtect portals and gateways. This feature enables the issuance of authentication cookies to previously authenticated users, allowing them to use these tokens for future web communications without re-supplying raw credentials. A critical validation defect exists within the core binary decryption handler responsible for processing these tokens. When an incoming authentication token is base64-decoded and subsequently decrypted using a private key, the decrypted content is then implicitly trusted. The critical flaw is the complete absence of any signature verification after this decryption process.

The preconditions for successful exploitation are crucial: the vulnerability specifically affects devices configured to reuse the primary portal certificate across multiple network features. This includes scenarios where the primary portal certificate, typically used for public HTTPS services, is also employed for encrypting and decrypting GlobalProtect authentication tokens. In such cases, a remote unauthenticated attacker can capture the public key associated with this shared certificate. With the public key in hand, the adversary can then construct and encrypt their own forged, valid security cookies. When these maliciously crafted cookies are presented to the vulnerable PAN-OS appliance, the device processes them server-side, implicitly trusting the decrypted content due to the missing signature check. As a direct result, the appliance grants the attacker unauthorized access, leading to a total authentication bypass.

Active exploitation of CVE-2026-0257 has been observed. Forensic investigators noted the earliest signs of unauthorized access attempts on May 17, 2026. During this initial wave, attackers launched authentication probes from the Vultr hosting infrastructure. A secondary wave of attacks was identified on May 21st, employing a different infrastructure provider, Dromatics Systems. Despite the shift in network location, investigators identified a consistent MAC address across both campaigns, suggesting a singular threat group is leading these operations. In the second observed wave, hackers successfully used the vulnerability to obtain full internal network access after being assigned a VPN IP. For further context on critical exploits in Palo Alto Networks products, refer to our prior analysis of CVE-2024-3400.

Affected products and versions

The CVE-2026-0257 authentication bypass vulnerability affects Palo Alto Networks PAN-OS when configured in specific scenarios related to its GlobalProtect feature.

  • Product: Palo Alto Networks PAN-OS
  • Component: GlobalProtect portal and gateway functionality.
  • Affected Configurations: The vulnerability affects appliances running PAN-OS with GlobalProtect VPN configurations that reuse the primary portal certificate across multiple network features. Devices are vulnerable if the certificate used for public HTTPS services is also employed for issuing and validating GlobalProtect authentication tokens.
  • Version Information: Research findings do not specify particular PAN-OS version numbers affected by CVE-2026-0257. The vulnerability's exploitability is tied to the certificate management configuration rather than a specific software version range.

Detection

Detecting exploitation of CVE-2026-0257 can be challenging; standard network monitoring tools might not immediately identify the underlying cookie validation anomaly. Several indicators can point to potential or active compromise:

  • Unusual GlobalProtect VPN Connections: Monitor for successful GlobalProtect VPN connections from external IP addresses not typically associated with legitimate organizational users or established VPN client pools. This includes connections from known suspicious IP ranges or unexpected geographic locations.
  • Anomalous Authentication Attempts: Review authentication logs for the GlobalProtect portal and gateway for unusual login patterns. Look for a high volume of authentication probes or successful logins from IP addresses associated with known hosting providers or suspicious autonomous systems, such as Vultr or Dromatics Systems, which have been linked to observed exploitation.
  • VPN IP Assignment Without Credential-Based Authentication: Investigate any instances where a client or user account is assigned a GlobalProtect VPN IP address without a preceding successful credential-based authentication event. This indicates a potential bypass of the standard login process.
  • Irregular Cookie Structures/Token Exchanges: If deep packet inspection or advanced network traffic analysis capabilities are in place, look for anomalies in the structure or exchange of GlobalProtect authentication cookies that might indicate tampering or forgery. This would involve identifying tokens that bypass typical signature validation flows.
  • Certificate Usage Review: Review internal certificate management logs and configurations to identify instances where the primary portal certificate is being used for both public HTTPS services and GlobalProtect authentication token management. This specific configuration is a precondition for CVE-2026-0257 exploitation.
  • While CVE-2026-0257 involves an authentication bypass, similar issues in other vendors have involved authentication bypasses, as discussed in our analysis of a Cisco SD-WAN flaw.

Remediation

Immediate remediation is critical for organizations operating Palo Alto Networks PAN-OS with affected GlobalProtect configurations, given the active exploitation of CVE-2026-0257.

  • Patching: Upgrade Palo Alto Networks PAN-OS perimeter appliances to vendor-supplied patches urgently. Organizations should consult the official security advisory for CVE-2026-0257 provided by Palo Alto Networks for specific patch versions and deployment instructions. The vendor's advisory is available at security.paloaltonetworks.com/CVE-2026-0257.
  • Workarounds (if immediate patching is not possible):
  • Disable Authentication Override: As an emergency configuration adjustment, administrators can disable the authentication override feature within the GlobalProtect portal dashboard. This action will prevent the issuance and acceptance of authentication cookies, removing the vulnerability vector.
  • Unique Certificate for Cookie Management: Alternatively, engineers can generate and configure a unique, dedicated certificate exclusively for GlobalProtect cookie management. This new certificate must not be reused across other public-facing HTTPS services, breaking the precondition that allows attackers to obtain the public key for forging tokens.
  • Enhanced Monitoring: Implement continuous monitoring for unauthorized access attempts and post-exploitation activities, particularly focusing on GlobalProtect VPN gateways. This includes scrutinizing VPN connection logs, authentication failure/success events, and any unusual internal network activity from VPN-assigned IP addresses.

Technical Takeaways

  • CVE-2026-0257 is an actively exploited authentication bypass vulnerability in Palo Alto Networks PAN-OS GlobalProtect.
  • The vulnerability is a cryptographic bypass, stemming from the implicit trust of decrypted authentication tokens without subsequent signature verification.
  • Successful exploitation relies on the misconfiguration of certificate management, specifically the reuse of the primary portal certificate across public-facing services and GlobalProtect cookie management.
  • Observed attacks have resulted in threat actors gaining full internal network access after successfully bypassing authentication.
  • Immediate patching or applying specific configuration workarounds, such as disabling authentication override or using a unique certificate for cookie management, are critical for reducing the threat.