Full Report
The escalated threat posed by the defect showcases how quickly a seemingly mild vulnerability can turn into an urgent warning. The post Attackers are exploiting Palo Alto Networks defect that initially flew under the radar appeared first on CyberScoop.
Analysis Summary
# Vulnerability: Authentication Bypass in PAN-OS GlobalProtect
## CVE Details
- **CVE ID:** CVE-2026-0257
- **CVSS Score:** Initially Medium; reassessed as Critical (Specific score not listed in text, but categorized as Critical by vendor/CISA)
- **CWE:** Authentication Bypass
## Affected Systems
- **Products:** Palo Alto Networks Firewalls (PAN-OS)
- **Versions:** Specific versions are not listed in the article; however, it affects devices running PAN-OS.
- **Configurations:** Systems running the **GlobalProtect portal or gateway** with **authentication override cookies** enabled. Specifically, where the cookie encryption/decryption certificate is reused with another feature, exposing the public key.
## Vulnerability Description
An authentication bypass vulnerability exists in the PAN-OS GlobalProtect interface. The flaw allows an attacker to forge a valid authentication cookie. This is possible because the appliance's publicly available TLS certificate is reused for cookie encryption, allowing an attacker to use the public key to craft a malicious request.
## Exploitation
- **Status:** Exploited in the wild (Confirmed by Rapid7 and CISA)
- **Complexity:** Low (Described as a "single HTTP request")
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Allows establishment of VPN connections/bypass of security restrictions)
- **Integrity:** High
- **Availability:** High
## Remediation
### Patches
- Palo Alto Networks has released patches for affected PAN-OS versions. Users are urged to apply them immediately via the [Palo Alto Networks Security Advisories](https[:]//security[.]paloaltonetworks[.]com/CVE-2026-0257) page.
### Workarounds
- Apply recommended mitigation steps provided by the vendor for unpatched devices (e.g., disabling authentication override cookies or ensuring certificate uniqueness).
## Detection
- **Indicators of Compromise:** Look for unauthorized VPN connections or sessions established via forged cookies.
- **Detection Methods and Tools:** Monitor logs for GlobalProtect portal/gateway activity. Rapid7 and Palo Alto Networks are monitoring for exploitation attempts. Organizations should check for the specific configuration (certificate reuse) that enables the bypass.
## References
- Palo Alto Networks Security Advisory: [https[:]//security[.]paloaltonetworks[.]com/CVE-2026-0257]
- CISA Known Exploited Vulnerabilities Catalog: [https[:]//www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog]
- Rapid7 Research: [https[:]//www[.]rapid7[.]com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/]