Palo Alto Networks PAN-OS GlobalProtect Authentication Bypass Vulnerability | Active Exploitation

A critical authentication bypass vulnerability affecting the GlobalProtect portal and gateway in Palo Alto Networks PAN-OS allows attackers to bypass security restrictions and establish unauthorized VPN connections. The vulnerability stems from insufficient validation and integrity checking of authentication override cookies. Successful exploitation grants network access normally reserved for authenticated remote users. Palo Alto Networks has confirmed limited exploitation attempts against unpatched systems, and the vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog.

Technical Details

CVE-2026-0257 affects PAN-OS firewalls configured with GlobalProtect portal and/or gateway functionality when authentication override cookies are enabled and specific certificate configurations are present.

An unauthenticated attacker can abuse weaknesses in how authentication override cookies are validated to establish an unauthorized VPN session without possessing valid user credentials. Once connected, the attacker gains the same network access normally available to authenticated remote users, creating significant downstream confidentiality and integrity risk. Panorama and Cloud NGFW are not affected.

Palo Alto Networks updated its advisory on May 29, 2026, to disclose observed exploitation attempts against unpatched devices. Rapid7 subsequently reported successful exploitation activity dating back to May 17, 2026. The vulnerability is now included in the CISA KEV catalog and remote code execution depending on cluster configuration.

Stop Guessing, Start Proving

NodeZero® Proactive Security Platform — Rapid Response

A NodeZero Rapid Response test has been developed to safely validate whether this authentication bypass can be exploited in your environment. The test executes real attack techniques without causing damage, giving teams immediate clarity on exposure.

• Run the Rapid Response test: Launch from the NodeZero platform to determine whether unauthorized VPN access is possible.
• Patch immediately: Upgrade to a fixed PAN-OS release for your branch or implement Palo Alto’s recommended mitigations.
• Re-run the test: Confirm the vulnerability is no longer exploitable after remediation.

Affected versions & patch

Affected

The vulnerability affects PAN-OS GlobalProtect deployments running vulnerable releases in the following branches:

• PAN-OS 10.2
• PAN-OS 11.1
• PAN-OS 11.2
• PAN-OS 12.1
• Prisma Access 10.2 and 11.2 deployments using affected releases

Fixed Versions

PAN-OS 10.2

• 10.2.7-h34
• 10.2.10-h36
• 10.2.13-h21
• 10.2.16-h7
• 10.2.18-h6

PAN-OS 11.1

• 11.1.4-h33
• 11.1.6-h32
• 11.1.7-h6
• 11.1.10-h25
• 11.1.13-h5
• 11.1.15

PAN-OS 11.2

• 11.2.4-h17
• 11.2.7-h14
• 11.2.10-h7
• 11.2.12

PAN-OS 12.1

• 12.1.4-h6
• 12.1.7

Prisma Access

• 10.2.10-h36
• 11.2.7-h13

If immediate patching is not possible, Palo Alto Networks recommends:

• Generating a dedicated certificate used exclusively for authentication override cookies.
• Disabling Authentication Override in GlobalProtect portal and gateway configurations.

Timeline

• May 13, 2026 – Palo Alto Networks published its security advisory for CVE-2026-0257.
• May 17, 2026 – Earliest publicly reported exploitation activity observed against vulnerable PAN-OS GlobalProtect deployments.
• May 29, 2026 – Palo Alto Networks updated its advisory and confirmed limited exploitation attempts against unpatched devices.
• May 29, 2026 – CISA added CVE-2026-0257 to the Known Exploited Vulnerabilities (KEV) Catalog.
• June 1, 2026 – Public reporting highlighted ongoing exploitation activity targeting exposed GlobalProtect instances.

References

• Palo Alto Networks Security Advisory – CVE-2026-0257
• CISA Known Exploited Vulnerabilities Catalog Entry
• BleepingComputer Coverage
• The Hacker News Coverage