Palo Alto GlobalProtect Authentication Bypass Moves from Advisory to Active Exploitation

What happened

On 13 May 2026 Palo Alto Networks disclosed a vulnerability in its PAN‑OS firewall product (CVE‑2026‑0257). The flaw allowed attackers to forge authentication‑override cookies and bypass GlobalProtect VPN authentication. Initially rated medium severity, Palo Alto warned of “limited exploit attempts” but said no active abuse had been observed.

Rapid7’s research team published a follow‑up on 1 June 2026 showing that the bug had been exploited in the wild as early as 17 May. Using a proof‑of‑concept, the firm demonstrated that malicious actors could create valid‑looking cookies, gain VPN access, and establish unauthenticated sessions inside corporate networks.

Legal basis

• GDPR Art. 32 obliges data controllers and processors to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. A known, unpatched vulnerability that enables unauthorised network access is a clear breach of this requirement.
• CCPA § 1798.150 requires reasonable security procedures; failure to patch a critical VPN flaw can be deemed “unreasonable” and trigger statutory damages.
• The U.S. CISA Known Exploited Vulnerabilities (KEV) catalog now lists CVE‑2026‑0257, mandating federal agencies to remediate by 1 June 2026. Non‑compliance can lead to procurement penalties and heightened oversight.

Impact on users and companies

Affected party	Consequence
Enterprises using GlobalProtect	Unauthorized VPN sessions give attackers footholds inside internal networks. Although Rapid7 did not see widespread lateral movement, the initial breach compromises confidentiality and may enable future ransomware or data exfiltration.
Managed Service Providers	If they host PAN‑OS firewalls for clients, a breach can expose multiple organisations, amplifying liability under both GDPR and CCPA.
Regulators	Failure to patch within the CISA deadline can trigger enforcement actions, fines up to €20 million or 4 % of global turnover under GDPR, and up to $7 500 per consumer under CCPA.
Customers	Potential loss of personal data, breach notifications, and loss of trust.

Why the risk is high

The vulnerability hinges on how PAN‑OS validates authentication‑override cookies. In deployments where the same TLS certificate protects both HTTPS services and the cookie‑signing process, an attacker who can extract the certificate’s private key (or exploit a weak key) can generate forged cookies that the firewall accepts as legitimate. This mis‑configuration is common in organisations that reuse certificates to simplify management.

Regulatory implications

1. Breach notification – Under GDPR Articles 33‑34, any unauthorised access to personal data must be reported to the supervisory authority within 72 hours. If the VPN breach leads to data exposure, organisations will need to launch a notification process, incurring legal and PR costs.
2. Fines for non‑remediation – The GDPR’s “failure to implement appropriate security measures” clause can attract fines up to €10 million or 2 % of annual turnover, whichever is higher. CCPA adds statutory damages per consumer if negligence is proven.
3. Contractual obligations – Many cloud‑service contracts incorporate security clauses referencing CVE remediation timelines. Missing the CISA deadline could constitute a breach of contract, exposing firms to indemnity claims.

What changes are required

1. Immediate patching – Palo Alto has released updates for all supported PAN‑OS releases. Apply the patch within the next 24 hours for critical environments.
2. Segregate certificates – Use distinct TLS certificates for management interfaces, user‑portal services, and authentication‑override cookie signing. This reduces the attack surface if a single key is compromised.
3. Enable multi‑factor authentication (MFA) – Even if a cookie is forged, MFA on GlobalProtect can block the session.
4. Monitor for anomalous VPN sessions – Deploy SIEM rules to flag VPN logins from unusual IP ranges, especially those lacking MFA tokens.
5. Conduct a risk assessment – Re‑evaluate the security controls around remote‑access solutions under GDPR Art. 32 and CCPA security standards.
6. Update incident‑response playbooks – Include specific steps for handling GlobalProtect authentication‑bypass incidents, from containment to breach‑notification timelines.

Broader context

This exploitation follows a pattern of rapid‑fire attacks on Palo Alto firewalls. In May 2026, a separate zero‑day (CVE‑2026‑0300) targeting the User‑ID Authentication Portal was weaponised by state‑backed actors before a patch was widely deployed. The back‑to‑back incidents underscore the need for continuous vulnerability management and defence‑in‑depth for perimeter security devices.

Bottom line

The GlobalProtect authentication bypass has moved from a theoretical advisory to a proven, active threat. Organizations that rely on Palo Alto firewalls must treat the patch as a regulatory imperative, not just a technical recommendation. Failure to remediate not only leaves networks exposed but also opens the door to substantial GDPR and CCPA penalties, as well as potential enforcement actions from CISA. Prompt patching, certificate hygiene, and strengthened MFA are the quickest ways to close the gap and stay on the right side of data‑protection law.