Palo Alto GlobalProtect CVE-2026-0257 (CVSS 7.8) Auth Bypass

Palo Alto Networks has warned about CVE-2026-0257, an authentication bypass vulnerability in its PAN-OS and Prisma Access software. This issue affects specific GlobalProtect configurations. The vulnerability has a CVSS score of 7.8 (High severity by NVD, medium by Palo Alto Networks), allowing unauthorized actors to establish VPN connections and bypass security restrictions. The flaw impacts GlobalProtect portal and gateway deployments under specific certificate and authentication override cookie settings.

Security research firms confirm CVE-2026-0257 is actively exploited. Attacks target unpatched devices without implemented mitigations. Initial exploitation attempts occurred on May 17, 2026, followed by a second wave on May 21, 2026. The same threat actor carried out these exploitation efforts.

Successful exploitation of this authentication bypass gives attackers unauthorized access to internal networks via VPN, posing a significant risk to affected organizations. While no follow-on activities within compromised customer environments have been reported immediately after VPN establishment, further compromise is possible. Organizations should review configurations, apply vendor patches, or implement recommended temporary mitigations immediately.

What is CVE-2026-0257 and its technical nature?

CVE-2026-0257 is an authentication bypass vulnerability within the GlobalProtect portal and gateway components of Palo Alto Networks PAN-OS software and Prisma Access. This flaw, with a CVSS score of 7.8, bypasses security protocols designed to authenticate users before granting network access. The vulnerability occurs under specific preconditions: when the GlobalProtect portal or gateway is configured, when authentication override cookies are enabled, and when a particular certificate configuration is active.

An attacker who exploits CVE-2026-0257 can bypass the normal authentication process for GlobalProtect VPN connections. This allows them to establish an unauthorized VPN session, gaining a foothold within an organization's internal network perimeter. The flaw's technical nature involves how authentication override cookies and certificate configurations are handled, creating a logical vulnerability that allows an unauthenticated adversary to gain privileged access to the VPN service. While the base CVSS score is "High" severity, active exploitation on an edge-facing VPN appliance increases its practical criticality.

Impact

The impact of CVE-2026-0257 is substantial because it is an authentication bypass on an edge-facing enterprise VPN appliance. An attacker exploiting this vulnerability can establish an unauthorized VPN connection to the victim organization's internal network. This direct access bypasses the primary security control for remote access, giving the attacker a pathway into the corporate infrastructure. Immediate risks include unauthorized data access, network reconnaissance, and potential for lateral movement within the compromised environment.

Organizations using Palo Alto Networks PAN-OS or Prisma Access with the GlobalProtect portal or gateway configured under the specific vulnerable conditions are at risk. The CVSS score of 7.8 indicates high severity, showing the potential for full network access compromise. Initial observations of exploitation did not immediately report follow-on activity within internal networks, but establishing an unauthorized VPN session is a critical step towards further actions. This could involve deploying malware, exfiltrating sensitive data, or disrupting critical services, depending on attacker goals and network segmentation.

Exploitation Chain

Exploitation of CVE-2026-0257 begins with an adversary targeting Palo Alto Networks PAN-OS or Prisma Access deployments that use the GlobalProtect portal or gateway. Successful exploitation requires specific preconditions in the targeted environment:

  • The GlobalProtect portal or gateway must be configured and running.
  • Authentication override cookies must be enabled.
  • A specific, unstated certificate configuration must be active.

When these conditions are met, the vulnerability allows an attacker to bypass standard authentication mechanisms. This means they can avoid providing legitimate credentials or satisfying multi-factor authentication, if configured. A successful bypass immediately results in an unauthorized VPN connection. Rapid7's observations of in-the-wild exploitation showed "VPN IP assignment following the cookie authentication," which directly led to the attacker accessing the internal network.

While public Proof-of-Concept (PoC) code was not explicitly mentioned, confirmed active exploitation suggests threat actors have developed and deployed effective methods to use this flaw. Observed attacks, occurring on May 17, 2026, and in a second wave on May 21, 2026, demonstrate a clear threat. Further analysis of this vulnerability and its exploitation can be found in our prior investigations, such as our detailed post on CVE-2026-0257 in Palo Alto GlobalProtect and another concerning the exploit in Palo Alto CVE-2026-0257. These resources provide additional context and technical insights into the exploit.

How is CVE-2026-0257 being exploited?

CVE-2026-0257 is confirmed under active exploitation by threat actors. Palo Alto Networks initially reported "limited exploit attempts" against unpatched PAN-OS devices without necessary mitigations. Cybersecurity firm Rapid7 corroborated this, identifying successful exploitation in multiple customer environments.

The earliest confirmed exploitation attempts occurred on May 17, 2026. A second, distinct wave of exploitation was observed on May 21, 2026. The same threat actor carried out both sets of activities, showing a persistent and targeted campaign. During these attacks, Rapid7 noted attackers successfully bypassed cookie authentication, leading to the assignment of VPN IP addresses. This allowed the attacker to establish an unauthorized VPN session and access the victim's internal network. While initial observed impact did not include immediate follow-on activity within compromised networks, establishing a direct internal network foothold signifies a critical security breach. This active exploitation shows the urgency for organizations to address CVE-2026-0257 promptly, as unpatched systems remain vulnerable.

Which products and configurations are affected by CVE-2026-0257?

CVE-2026-0257 affects Palo Alto Networks products that use the GlobalProtect VPN functionality under specific configurations. It is not a broad vulnerability affecting all installations of PAN-OS or Prisma Access. Critical dependencies for exploitability are the specific configurations of the GlobalProtect portal or gateway.

Affected product lines and the conditions making them vulnerable are:

  • Palo Alto Networks PAN-OS® software:
  • Affected when using the GlobalProtect portal.
  • Affected when using the GlobalProtect gateway.
  • The vulnerability appears only when authentication override cookies are enabled on these GlobalProtect components.
  • A specific, undescribed certificate configuration must be present with the enabled authentication override cookies.
  • Palo Alto Networks Prisma Access:
  • Affected under the same specific conditions as PAN-OS related to GlobalProtect portal or gateway configuration, enabled authentication override cookies, and the specific certificate configuration.

Administrators must review their GlobalProtect configurations to determine if their deployments meet these specific criteria, as all three conditions are required for the vulnerability to be exploitable. Research findings do not specify particular PAN-OS version numbers, suggesting the issue lies in the configuration logic itself when these specific settings are applied across multiple versions.

Detection

Detecting CVE-2026-0257 exploitation primarily involves monitoring for anomalous VPN connections and reviewing authentication logs for bypass activity. Since the exploit allows unauthorized VPN IP assignment and internal network access, security teams should focus on these areas.

Detection guidance:

  • VPN Connection Logs Review:
  • Monitor GlobalProtect gateway and portal logs for successful VPN connections from unusual or unauthorized source IP addresses.
  • Look for VPN sessions established without the expected authentication sequence, such as a lack of multi-factor authentication (MFA) prompts where MFA is typically enforced.
  • Identify VPN sessions where the authentication method appears to rely solely on "cookie authentication" without prior credential validation, especially if this differs from standard procedures.
  • Examine logs from May 17, 2026, and May 21, 2026, and subsequent dates, as these are periods when active exploitation was observed.
  • Authentication Override Cookie Monitoring:
  • Audit configurations related to authentication override cookies on GlobalProtect portal and gateway for unauthorized changes or unusual activity.
  • Monitor for events showing the creation, modification, or suspicious use of these cookies.
  • Certificate Configuration Auditing:
  • Regularly audit certificates for GlobalProtect, especially those for authentication override features. Anomalies could indicate preparation for or actual exploitation.
  • Network Activity Monitoring:
  • After a VPN connection, monitor internal network traffic from newly assigned VPN IP addresses for unusual patterns, such as:
  • Access to sensitive systems or data that the VPN user should not normally access.
  • Attempts at lateral movement or internal network reconnaissance.
  • Unexpected bandwidth usage or connection patterns.
  • EDR/Endpoint Telemetry:
  • While the initial exploit is network-based, any follow-on activity by an attacker after establishing a VPN connection would likely generate endpoint telemetry. Monitor endpoints for:
  • New process executions from VPN user sessions outside the baseline.
  • Unusual file access or creation.
  • Suspicious network connections initiated by users authenticated via VPN.

Robust logging and centralized security information and event management (SIEM) solutions are critical for collecting and analyzing data to detect CVE-2026-0257 exploitation.

Remediation

Addressing CVE-2026-0257 requires immediate action. Prioritize patching, and if immediate patching is not possible, implement temporary mitigations. The main remediation strategy is to apply vendor-supplied patches that resolve the authentication bypass vulnerability.

Specific remediation steps:

  • Patch Application:
  • Upgrade Palo Alto Networks PAN-OS software to patched versions provided by the vendor. Consult the official Palo Alto Networks security advisory for CVE-2026-0257 for exact patch versions for your PAN-OS release train.
  • For Prisma Access deployments, ensure the cloud service is updated to the patched configuration, as Palo Alto Networks typically manages these. Verify status through your Prisma Access dashboard or support channels.
  • Temporary Mitigations (if immediate patching is not possible):
  • Disable Authentication Override Feature: The most direct temporary mitigation is to disable the authentication override feature entirely on your GlobalProtect portal and gateway configurations. This removes one critical precondition for the vulnerability's exploitation. Disabling this feature may affect legitimate user workflows that rely on it, so understand its operational use before implementation.
  • Generate a New Exclusive Certificate: If the authentication override feature cannot be disabled, generate a new digital certificate. Configure this new certificate for exclusive use with the authentication override feature. This aims to isolate the vulnerable configuration and potentially disrupt the attacker's ability to use the "specific certificate configuration" mentioned.
  • Configuration Review and Hardening:
  • Conduct a full review of all GlobalProtect portal and gateway configurations to ensure authentication override cookies are not enabled unnecessarily.
  • Evaluate the necessity of any specific certificate configurations that interact with authentication processes and consider hardening or reconfiguring them.
  • Monitoring:
  • Implement continuous monitoring of VPN access logs and network activity as detailed in the detection section. This ongoing surveillance is crucial even after applying patches or mitigations, to verify effectiveness and identify any residual or new suspicious activities.

Organizations should treat CVE-2026-0257 with high urgency due to active exploitation and the critical nature of VPN authentication bypass.

Technical Takeaways

  • CVE-2026-0257 is an authentication bypass in Palo Alto Networks PAN-OS and Prisma Access GlobalProtect components, with a CVSS score of 7.8.
  • The vulnerability is actively exploited, with observed attacks from May 17, 2026, by a consistent threat actor.
  • Exploitation allows attackers to establish unauthorized VPN connections and access internal networks without valid credentials.
  • The flaw impacts GlobalProtect portal/gateway when authentication override cookies are enabled and a particular certificate configuration exists.
  • Primary remediation is applying vendor-supplied patches; temporary mitigations include disabling authentication override or using an exclusive certificate for this feature.