Palo Alto Networks confirms that CVE‑2026‑0257, a medium‑severity authentication bypass in GlobalProtect, is being exploited in the wild. Rapid7 observed two attack waves that granted unauthorized VPN access to corporate networks. The advisory recommends immediate patching or temporary mitigations such as disabling the authentication‑override cookie or rotating the affected certificate.
)
Palo Alto Networks has confirmed active exploitation of CVE‑2026‑0257, a flaw that lets attackers bypass authentication on GlobalProtect portals and gateways. The vulnerability carries a CVSS 7.8 rating and affects PAN‑OS firewalls and Prisma Access instances that have the authentication‑override cookie enabled together with a particular certificate configuration.
What the vulnerability is
- CVE‑2026‑0257 – an authentication‑bypass bug in the GlobalProtect portal and gateway code path. When the override cookie is present, the firewall trusts a crafted request and establishes a VPN tunnel without validating the user’s credentials.
- Impact – an attacker can obtain a valid VPN session, receive an internal IP address, and move laterally inside the corporate network. The advisory notes that no post‑exploitation activity has been observed yet, but a VPN foothold is a high‑value entry point.
- Affected versions – PAN‑OS 10.2.x‑10.3.x and Prisma Access releases that expose the GlobalProtect portal/gateway with the override feature enabled. The issue does not affect devices where the feature is disabled or where a different certificate is used.
Evidence of real‑world abuse
Rapid7’s threat‑intel team reported two distinct exploitation windows:
- First wave (May 17‑19, 2026) – limited attempts that triggered alerts on unpatched firewalls.
- Second wave (May 21‑23, 2026) – attackers successfully completed the cookie‑based bypass, received VPN IP assignments, and opened sessions to internal resources.
Both sets appear to originate from the same threat actor, likely a financially motivated group that scans for the specific certificate pattern before launching the attack. Rapid7’s analysis can be found in their public advisory here.
Expert perspective
"An authentication bypass in an edge‑facing VPN appliance is a direct path to the corporate network. Even a medium‑severity CVSS score can translate into a severe business impact when the attacker gains a trusted VPN tunnel," says Dr. Maya Patel, senior security researcher at Arctic Wolf Networks. "Organizations should treat this as a top‑priority patching case and verify that any temporary mitigations are correctly applied."
Immediate mitigation steps
- Apply the vendor patch – Palo Alto released PAN‑OS 10.2.12 and 10.3.9 on May 13, 2026. Upgrade all GlobalProtect appliances to the latest version as soon as possible.
- Disable the authentication‑override cookie – if you cannot patch immediately, go to Device > GlobalProtect > Portals/Gateways and turn off Authentication Override.
- Regenerate the certificate – create a new certificate that is not used for the override feature and associate it with the portal/gateway. This breaks the specific certificate condition the exploit relies on.
- Monitor for suspicious VPN logins – look for VPN sessions that originate from unknown source IPs, have unusually short authentication timestamps, or use the default GlobalProtect user‑agent string.
- Enforce MFA on VPN – enable multi‑factor authentication for all GlobalProtect users to add an extra barrier even if the bypass is successful.
Longer‑term hardening recommendations
- Network segmentation – keep VPN‑connected hosts on a separate VLAN with strict firewall rules limiting access to critical assets.
- Zero‑trust access – adopt a zero‑trust network access (ZTNA) model where each request is continuously evaluated, reducing reliance on a single VPN tunnel.
- Regular certificate hygiene – rotate certificates every 90 days and maintain an inventory of which certificates are used for which features.
- Threat‑intel integration – ingest Palo Alto’s threat‑feed indicators (CVE‑2026‑0257, related IPs, and hash signatures) into your SIEM to accelerate detection.
Where to get the patch and more information
- Official Palo Alto advisory – https://security.paloaltonetworks.com/CVE-2026-0257
- Patch download – available through the Palo Alto Networks Customer Support Portal (PAN‑OS 10.2.12 / 10.3.9).
- Rapid7 detailed report – https://www.rapid7.com/blog/post/2026/05/29/palo-alto-globalprotect-bypass-exploited/
- Arctic Wolf blog on VPN hardening – https://arcticwolf.com/blog/vpn-security-best-practices
Bottom line
CVE‑2026‑0257 may be rated medium, but the fact that a functional exploit is already in the wild makes it a critical operational risk. Organizations running GlobalProtect should patch immediately, apply the temporary mitigations if needed, and tighten overall VPN security posture to prevent a foothold from turning into a full breach.
Comments
Please log in or register to join the discussion