Palo Alto Networks CVE-2026-0257 Exploited in the Wild: GlobalProtect Patch and Mitigation Priority

By Ash K
Palo Alto Networks CVE-2026-0257 Exploited in the Wild: GlobalProtect Patch and Mitigation Priority

A medium-rated VPN bug becomes a very different problem once attackers start using it against real environments.

That is where Palo Alto Networks CVE-2026-0257 now sits. The issue affects GlobalProtect portal and gateway configurations in PAN-OS and Prisma Access, and successful exploitation can allow a remote unauthenticated attacker to establish an unauthorized VPN connection. For defenders, the operational risk is simple: this is an edge-facing access-control failure on infrastructure that often sits directly between the internet and internal enterprise networks.

What Happened

Palo Alto Networks published its advisory for CVE-2026-0257 on May 13, 2026, and updated it on May 29, 2026 after becoming aware of limited exploit attempts against unpatched PAN-OS devices where mitigations had not been applied. The company now marks the issue with “HIGHEST” urgency and “ATTACKED” exploit maturity.

The vulnerability is an authentication bypass in the GlobalProtect portal and gateway. Palo Alto Networks says the issue can allow an attacker to bypass security restrictions and establish an unauthorized VPN connection. Panorama and Cloud NGFW are not affected.

The weakness is tied to GlobalProtect configurations where authentication override cookies are enabled and a specific certificate configuration exists. In practical terms, defenders should not treat exposure as “all PAN-OS everywhere.” The priority is internet-facing GlobalProtect infrastructure using the vulnerable cookie configuration.

Why This Stands Out

The vendor’s CVSS v4 score is 7.8, but the field reality is sharper than the number suggests. NVD lists a CVSS v3.1 base score of 9.1, and CISA added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog on May 29, 2026, with a June 1, 2026 due date for required action by covered federal agencies.

Rapid7 reported that its MDR team observed successful exploitation across numerous customer environments, with the earliest observed exploitation dated May 17, 2026. Rapid7 also said it did not observe successful lateral movement from the devices in those cases, but urged organizations to treat the issue as critical because it affects an edge-facing enterprise VPN appliance.

The attacker behavior reported by Rapid7 is also notable: analysts observed suspicious cookie-based authentication to a local admin account across multiple customer environments from the same hosting provider infrastructure. Rapid7 later validated the exploitation path with a successful proof of concept.

Affected Versions and Fixed Releases

Palo Alto Networks lists affected PAN-OS branches across 12.1, 11.2, 11.1, and 10.2, along with Prisma Access 11.2 and 10.2. Fixed releases include PAN-OS 12.1.4-h6 or 12.1.7 and later; 11.2.4-h17, 11.2.7-h14, 11.2.10-h7, or 11.2.12 and later; 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, or 11.1.15 and later; and 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, or 10.2.18-h6 and later.

For Prisma Access, Palo Alto Networks lists 11.2.7-h13 and later, and 10.2.10-h36 and later, as fixed. The company says Prisma Access is being actively upgraded for customers according to shared upgrade schedules.

Patch and Mitigation Priority

This should be handled as a patch-now issue for any organization running exposed GlobalProtect portal or gateway services with authentication override cookies enabled. The fastest safe path is to move to a fixed PAN-OS or Prisma Access release published by Palo Alto Networks.

Where immediate patching is blocked, Palo Alto Networks lists two mitigations. First, generate and use a dedicated certificate only for authentication override cookies, store it securely, and do not reuse the portal or gateway certificate for that purpose. Second, disable Authentication Override by unchecking the options used to generate and accept authentication override cookies in the GlobalProtect portal and gateway configuration.

Defenders should also expect a one-time user impact after upgrading. Palo Alto Networks says the fix regenerates authentication override cookies using a more secure method, meaning GlobalProtect users will need to re-authenticate after the PAN-OS upgrade even if they previously had a valid cookie.

What Defenders Should Check Now

Security teams should identify all GlobalProtect portals and gateways, confirm PAN-OS and Prisma Access versions, and determine whether Authentication Override cookies are enabled. On the portal side, Palo Alto Networks directs administrators to Network > GlobalProtect > Portals, then the Agent configuration and Authentication tab, where “Generate cookie for authentication override” or “Accept cookie for authentication override” may be enabled. On the gateway side, administrators should check Network > GlobalProtect > Gateways, then Client Settings and the Authentication Override tab for “Accept cookie for authentication override.”

Detection work should focus on unusual GlobalProtect cookie-authenticated logins, especially to local administrative accounts, successful VPN sessions that do not match normal user behavior, unfamiliar source infrastructure, and anomalous authentication patterns around and after May 17, 2026. Any unauthorized VPN connection should be treated as a potential foothold, even if lateral movement is not immediately visible.

Why This Matters

VPN authentication bypass bugs are dangerous because they collapse the first control defenders rely on at the network edge: deciding who gets inside. CVE-2026-0257 does not need to become a flashy remote code execution vulnerability to matter. Unauthorized VPN access is already enough to raise the incident-response stakes.

The important lesson is not only that a patch exists. It is that configuration-specific exposure can still become a live exploitation problem when the affected feature sits on an internet-facing access path. Asset owners who only sort remediation queues by headline severity may miss the real priority: reachable VPN infrastructure, unauthenticated attack path, observed exploitation, and a public KEV deadline.

NeuraCyb's Assessment

CVE-2026-0257 should move to the top of the firewall and VPN remediation queue. Patch first where possible, apply the cookie and certificate mitigations where patching needs a change window, and review GlobalProtect authentication logs for suspicious cookie-based sessions. The risk is not theoretical anymore; it is already showing up in the wild, and edge access bugs reward the fastest operators on either side.

References

Palo Alto Networks Security Advisory: CVE-2026-0257

NVD: CVE-2026-0257 Detail

Rapid7: Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability

CISA Known Exploited Vulnerabilities Catalog: CVE-2026-0257

CVE-2026-0257 is now an active exploitation issue, not just a routine PAN-OS advisory. The flaw can let an unauthenticated attacker establish an unauthorized GlobalProtect VPN connection when specific authentication override cookie settings are present. Palo Alto Networks rates the urgency as “HIGHEST,” CISA has added the bug to KEV with a June 1, 2026 remediation due date for federal agencies, and defenders should prioritize patching or disabling the risky cookie configuration immediately.
Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.