Palo Alto Networks has updated its advisory for CVE-2026-0257, a PAN-OS GlobalProtect authentication bypass flaw, after limited exploit attempts were observed against unpatched devices. CISA added the vulnerability to the Known Exploited Vulnerabilities catalog on May 29, 2026, with a June 1 remediation date for covered federal systems. The practical risk is direct: a vulnerable GlobalProtect portal or gateway can let an attacker establish an unauthorized VPN connection if the exposed configuration matches the advisory conditions.
This is not just another patch notice. GlobalProtect sits at the edge of many networks, so a bypassed VPN login can become the starting point for internal reconnaissance, credential theft, lateral movement, or abuse of trusted access. Admins should treat exposed portals and gateways as incident-review targets, not only as devices to update.
Who is affected
The Palo Alto advisory says the issue affects PAN-OS firewalls with a GlobalProtect portal or gateway configured when authentication override cookies are enabled and a specific certificate configuration exists. Panorama and Cloud NGFW are not impacted. Prisma Access customers are being upgraded according to the vendor’s schedule.
| Area to check | Why it matters | Immediate action |
|---|---|---|
| GlobalProtect portal | Authentication override cookie generation or acceptance can be part of the vulnerable path. | Review the Agent authentication settings and disable override cookies if they are not needed. |
| GlobalProtect gateway | A gateway accepting override cookies may allow unauthorized VPN establishment under the affected configuration. | Patch to the fixed PAN-OS branch and review authentication override settings. |
| Certificate reuse | The advisory’s mitigation calls out dedicated certificates for override cookies. | Use a separate securely stored certificate or disable the feature. |
| VPN logs and sessions | Exploitation can look like an authenticated VPN session, not a normal failed login storm. | Review unusual source IPs, session timing, user mapping, and post-login activity. |
Fixed versions and mitigations
Palo Alto lists fixed PAN-OS releases across the 12.1, 11.2, 11.1, and 10.2 branches. The shortest safe rule is to move to the fixed release for your branch or a later supported release named in the vendor advisory. Unsupported PAN-OS versions should be upgraded to a supported fixed version.
If you cannot patch immediately, reduce exposure by disabling Authentication Override on the GlobalProtect portal and gateway, or by generating a new certificate used only for authentication override cookies. Do not reuse the portal or gateway certificate for that purpose. After patching, expect GlobalProtect users to re-authenticate because the fix regenerates authentication override cookies with a more secure method.
What to check after patching
- Inventory all internet-facing GlobalProtect portals and gateways, including standby or branch devices that may be forgotten.
- Confirm the PAN-OS branch and hotfix level against Palo Alto’s fixed-version table.
- Check whether authentication override cookies are generated or accepted on the portal and gateway.
- Review recent VPN sessions for unusual countries, hosting providers, impossible travel, short-lived sessions, or accounts that rarely use VPN.
- Look at what happened after VPN access: admin logins, new remote-management traffic, file-share access, suspicious PowerShell, scheduled tasks, or endpoint alerts.
- Reset or revoke sessions for suspicious accounts, rotate credentials where access is uncertain, and scan affected endpoints with a trusted security tool such as Gridinsoft Anti-Malware when workstation activity looks abnormal.
For context, Gridinsoft recently covered another exploited Palo Alto Networks issue, PAN-OS CVE-2026-0300 root RCE. CVE-2026-0257 is a different bug, but the operational lesson is similar: edge security appliances need fast patching plus log review because successful exploitation may not leave the same signals as commodity malware.
FAQ
Is CVE-2026-0257 already exploited?
Yes. Palo Alto Networks marks exploit maturity as attacked and says it is aware of limited exploit attempts against unpatched PAN-OS devices without mitigations. CISA added the CVE to KEV on May 29, 2026.
Does this affect every PAN-OS firewall?
No. The exposed path requires GlobalProtect portal or gateway configuration, authentication override cookies, and the certificate condition described by Palo Alto. Still, any internet-facing GlobalProtect deployment should be checked immediately.
Is disabling Authentication Override enough?
It is a mitigation when patching cannot happen immediately, but it should not replace upgrading to a fixed PAN-OS release. After mitigation, review VPN sessions and authentication logs for signs of prior abuse.
Should home users do anything?
Most home users are not running PAN-OS GlobalProtect gateways. The user-facing action is to report unusual VPN prompts or account activity to the organization that manages the VPN and to avoid approving unexpected access requests.
References
- Palo Alto Networks. “CVE-2026-0257 PAN-OS: GlobalProtect Authentication Bypass Vulnerabilities.” Palo Alto Networks Security Advisories, published May 13, 2026; updated May 29, 2026; accessed May 30, 2026. https://security.paloaltonetworks.com/CVE-2026-0257
- Cybersecurity and Infrastructure Security Agency. “Known Exploited Vulnerabilities Catalog.” CISA, catalog version 2026.05.29; accessed May 30, 2026. https://www.cisa.gov/known-exploited-vulnerabilities-catalog
