Palo Alto Networks confirmed on May 29 that CVE-2026-0257, an authentication bypass in the GlobalProtect portal and gateway, is being exploited in the wild. The flaw lets an unauthenticated attacker bypass authentication and stand up a VPN session straight into your internal network. If you run GlobalProtect with authentication override cookies and haven’t patched, this is now a live incident, not a theoretical one. CISA added it to the Known Exploited Vulnerabilities catalog with a federal remediation deadline of June 1, 2026.

What’s Vulnerable

CVE-2026-0257 (CVSS 7.8) affects PAN-OS firewalls and Prisma Access deployments where the GlobalProtect portal or gateway is configured. It is a conditional vulnerability, not a default-config blanket exposure. Two things have to be true:

  • Authentication override cookies are enabled on the GlobalProtect portal or gateway, and
  • The certificate used to encrypt and decrypt those override cookies is shared with another feature — for example, the HTTPS service of the same portal or gateway.

When those conditions line up, the cookie-encryption trust boundary collapses and an attacker can forge or replay an authentication override cookie to satisfy the gateway’s auth check without valid credentials.

Fixed releases:

  • PAN-OS 12.1.7 (and 12.1.4-h6)
  • PAN-OS 11.2.12
  • PAN-OS 11.1.15
  • PAN-OS 10.2.18-h6

Prisma Access is patched on the Palo Alto side, but on-prem firewalls are your responsibility.

Technical Details

Authentication override is a GlobalProtect feature that issues an encrypted cookie so a user who has already passed authentication doesn’t have to re-authenticate on every portal/gateway transition. The cookie is encrypted and decrypted with a configured certificate. The bug is that when that same certificate is reused for another service — most commonly the portal/gateway HTTPS listener — the keying material protecting the override cookie is no longer secret to the cookie subsystem alone. That gives an attacker the leverage needed to produce a cookie the gateway will accept, bypassing the front-door authentication entirely and establishing an unauthorized VPN connection.

The practical result is not a crash or an info leak — it’s a working tunnel. In Rapid7’s second observed wave, exploitation led to VPN IP assignment following cookie authentication in two cases, granting the attacker access to the internal network.

Exploitation Timeline

Palo Alto published the original advisory on May 13, 2026, then updated it on May 29 to acknowledge “limited exploit attempts on unpatched PAN-OS devices without mitigations applied.”

Rapid7 independently reported successful exploitation across numerous customers. The earliest activity dates to May 17, 2026, with a second wave on May 21. Both sets are attributed to the same threat actor. Notably, Rapid7 observed no follow-on activity in the environments where a VPN session was established — consistent with access-brokering or pre-positioning rather than immediate hands-on-keyboard intrusion. That should not be reassuring. An idle foothold inside the perimeter is a foothold being saved for later or sold.

Impact Assessment

An auth bypass on an edge-facing enterprise VPN appliance is about as bad as initial-access bugs get. GlobalProtect sits at the network boundary and, by design, the thing on the other side of it is your internal network. There is no lateral-movement chain to build here — successful exploitation is the lateral movement. Internet-exposed firewalls with the vulnerable certificate-sharing configuration should be treated as presumptively reachable by the active threat actor.

What To Do Right Now

  1. Patch to a fixed PAN-OS release (12.1.7, 11.2.12, 11.1.15, or 10.2.18-h6) on an urgent basis. This is the only complete fix.
  2. If you can’t patch immediately, apply one of the two mitigations from Palo Alto:
    • Disable authentication override — uncheck the “Generate cookie for authentication override” and “Accept cookie for authentication override” options in the GlobalProtect portal and gateway configuration, or
    • Generate a new certificate used exclusively for the authentication override feature, so it is no longer shared with the HTTPS service or any other function.
  3. Hunt for unauthorized VPN sessions. Review GlobalProtect gateway logs for VPN IP assignments tied to clients or accounts that shouldn’t have them, and for cookie-authenticated sessions from unfamiliar source IPs since May 17, 2026.
  4. Confirm whether your federal or contractual obligations put you under the June 1 CISA KEV deadline.

References