PAN-OS GlobalProtect CVE-2026-0257 exploitation

Summary

CVE-2026-0257 is an authentication-bypass vulnerability in the GlobalProtect portal and gateway components of Palo Alto Networks PAN-OS. Palo Alto Networks says it has observed limited exploit attempts against unpatched devices without mitigations, and CISA added the flaw to the Known Exploited Vulnerabilities catalog on 2026-05-29.

The durable threat-intelligence value is remote-access boundary risk: exposed VPN infrastructure can become an unauthorized network entry path when authentication-override cookies are enabled with the vulnerable certificate configuration.

Tags

• ops
• operations
• PAN-OS
• GlobalProtect
• Palo Alto Networks
• CVE-2026-0257
• active exploitation
• VPN
• authentication bypass
• edge appliance
• incident response

Why this matters

• GlobalProtect portals and gateways are internet-facing remote-access infrastructure for many enterprises.
• The vulnerable path is pre-authentication, network-reachable, low-complexity, and does not require user interaction.
• Successful exploitation can establish an unauthorized VPN connection, shifting the problem from perimeter exposure to internal-network access and identity/session review.
• CISA's 2026-05-29 KEV entry sets a 2026-06-01 remediation due date for covered federal agencies, indicating operational urgency even though public reporting reviewed here does not yet name a specific actor or malware payload.

Operational characteristics

• Affected component: PAN-OS GlobalProtect portal and gateway; Panorama and Cloud NGFW are not impacted according to Palo Alto Networks.
• Required exposure condition: GlobalProtect portal or gateway configured with authentication-override cookies enabled, plus the vulnerable certificate configuration described by the vendor.
• Exploit primitive: bypass security restrictions and establish an unauthorized VPN connection.
• Observed exploitation: Palo Alto Networks updated the advisory on 2026-05-29 and says it is aware of limited exploit attempts on unpatched PAN-OS devices without mitigations.
• Affected versions: multiple PAN-OS 10.2, 11.1, 11.2, and 12.1 trains below the fixed hotfix / maintenance versions listed in the vendor advisory; Prisma Access 10.2 and 11.2 customers are being upgraded on the vendor schedule.

Defender heuristics

• Prioritize internet-exposed GlobalProtect portals and gateways, especially appliances where authentication override cookies are enabled.
• Upgrade to the fixed PAN-OS maintenance or hotfix releases listed by Palo Alto Networks; expect GlobalProtect users to re-authenticate after upgrade because the fix regenerates authentication-override cookies using a more secure method.
• If immediate upgrade is blocked, use a dedicated certificate exclusively for authentication-override cookies or disable authentication override on GlobalProtect portals and gateways.
• Preserve and review GlobalProtect, VPN, authentication, configuration-change, and management-plane logs around the exposure window before cleanup.
• Hunt for unusual successful VPN sessions, unexpected source geographies / ASNs, impossible travel, new internal discovery from VPN address pools, and access that does not line up with normal user MFA / device posture.
• Treat confirmed exploit evidence as unauthorized remote access: rotate credentials and session material for affected identities, review internal access from VPN-assigned addresses, and check for follow-on persistence on reachable systems.

Related pages

• FortiClient EMS CVE-2026-35616 EKZ Infostealer campaign
• ConnectWise ScreenConnect exploitation wave
• LiteSpeed cPanel CVE-2026-48172 exploitation

Sources

• Palo Alto Networks advisory: https://security.paloaltonetworks.com/CVE-2026-0257
• CISA KEV: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
• CISA KEV catalog page: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
• CVE record: https://www.cve.org/CVERecord?id=CVE-2026-0257