Full Report
Palo Alto Networks has warned that a recently disclosed medium-severity security flaw impacting PAN-OS and Prisma Access has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-0257 (CVSS score: 7.8), refers to a case of authentication bypass that could be exploited by bad actors to set up VPN connections. "Authentication bypass vulnerabilities in the
Analysis Summary
# Vulnerability: PAN-OS GlobalProtect Authentication Bypass
## CVE Details
- **CVE ID:** CVE-2026-0257
- **CVSS Score:** 7.8 (High/Medium - *Note: Article text labels it "medium-severity" while the score reflects High*)
- **CWE:** Not specified (Authentication Bypass)
## Affected Systems
- **Products:** Palo Alto Networks PAN-OS; Prisma Access
- **Versions:** Not explicitly listed by version number in the text, but affects unpatched PAN-OS devices.
- **Configurations:**
- Firewalls with **GlobalProtect portal or gateway** configured.
- **Authentication override cookies** must be enabled.
- Specific certificate configurations must exist.
## Vulnerability Description
This is an authentication bypass vulnerability in the GlobalProtect portal and gateway components. The flaw stems from the way authentication override cookies and specific certificates are processed. Exploitation allows a remote attacker to bypass internal security restrictions and establish an unauthorized VPN connection to the target network.
## Exploitation
- **Status:** Exploited in the wild (Limited exploit attempts observed starting May 17, 2026).
- **Complexity:** Not explicitly stated, though successful exploitation has been observed across numerous customers.
- **Attack Vector:** Network (External edge-facing VPN appliance).
## Impact
- **Confidentiality:** High (Grants unauthorized access to internal network resources).
- **Integrity:** High (Allows establishment of VPN sessions and potential lateral movement).
- **Availability:** Low (Primary impact is focused on unauthorized access).
## Remediation
### Patches
- Palo Alto Networks has released vendor-supplied patches; organizations are urged to upgrade to the latest secure version of PAN-OS immediately.
### Workarounds
- **Disable Authentication Override:** Disable the authentication override feature within GlobalProtect settings.
- **Certificate Rotation:** Generate a new, unique certificate to be used exclusively for the authentication override feature to isolate it from other services.
## Detection
- **Indicators of Compromise:** Observe for VPN IP assignment following cookie authentication without a corresponding valid login event.
- **Detection Methods and Tools:** Monitor GlobalProtect logs for suspicious authentication override cookie usage. Rapid7 reported two waves of activity (May 17 and May 21, 2026) associated with a single threat actor.
## References
- **Vendor Advisory:** hxxps://security.paloaltonetworks.com/CVE-2026-0257
- **Rapid7 Research:** hxxps://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/
- **Source Article:** hxxps://thehackernews.com/2026/05/pan-os-globalprotect-authentication.html