Palo Alto GlobalProtect CVE-2026-0257 Exploited Now
A GlobalProtect auth-bypass flaw in PAN-OS is under active attack since mid-May. Here is who is affected and the fastest way to lock it down.
Palo Alto Networks has confirmed that attackers are actively exploiting CVE-2026-0257, an authentication-bypass weakness in the GlobalProtect VPN component of PAN-OS. Rapid7 traced the earliest exploitation to May 17, 2026, with a second wave on May 21, and CISA has since added the flaw to its Known Exploited Vulnerabilities catalog with a federal mitigation deadline of June 1. If you run a Palo Alto firewall with a GlobalProtect portal or gateway facing the internet, this is an urgent one.
Quick answer
CVE-2026-0257 (CVSS 7.8) lets a remote attacker forge a valid GlobalProtect session cookie and connect to your VPN with no username, password, or MFA. It only bites when authentication override cookies are enabled and the same TLS certificate is reused for both your public HTTPS service and the override feature. Patch PAN-OS to a fixed release now; if you cannot patch immediately, disable authentication override or issue a dedicated certificate just for it. Then hunt your logs for VPN sessions with no matching login.
Key takeaways
- CVE-2026-0257 is an authentication-bypass flaw (CVSS 7.8) that lets a remote attacker forge a valid GlobalProtect session and establish an unauthorized VPN connection.
- The bug only bites when authentication override cookies are enabled and the same TLS certificate is reused for both HTTPS services and the override cookie feature.
- Exploitation has been observed in the wild since mid-May 2026, and a public proof-of-concept exists, so unpatched devices are being scanned and hit at scale.
- The fix is to upgrade PAN-OS to a fixed release, or as a stopgap, disable authentication override or issue a dedicated certificate for it.
- VPN gateways are a prime initial-access target; treat any internet-facing security appliance as a top patching priority.
What the flaw actually does
GlobalProtect supports an "authentication override" cookie so users do not have to re-authenticate to both the portal and the gateway. The cookie is signed with a certificate. The problem: if an administrator reuses the same certificate for the firewall's public HTTPS interface and for signing override cookies, an attacker can grab the certificate's public key during a normal HTTPS session, then forge an override cookie the device will accept as legitimate.
The result is a clean authentication bypass. No valid username, no password, no MFA prompt. The attacker simply presents a forged cookie and the gateway trusts it, granting an authenticated VPN foothold inside the network.
Are you affected?
You are potentially exposed if all of the following are true:
- You run an affected PAN-OS version on a firewall configured as a GlobalProtect portal or gateway.
- The authentication override feature is enabled.
- The certificate used for override cookies is shared with another HTTPS-facing service on the same device.
Note
If your GlobalProtect portal or gateway is reachable from the public internet, assume you are being probed. Check now rather than waiting for a maintenance window.
How to fix it
-
Identify your PAN-OS version. Log in to the firewall and note the running release. Cross-check it against the official Palo Alto advisory for CVE-2026-0257 to confirm whether it is vulnerable.
-
Apply the fixed PAN-OS release. Patching is the only complete remediation. Schedule the upgrade immediately for any internet-facing device, even if it means an out-of-band maintenance window.
-
If you cannot patch right away, mitigate. Either disable the authentication override feature, or generate a new certificate used exclusively for the override cookie feature so the public key is never exposed via HTTPS.
-
Hunt for compromise. Review GlobalProtect logs for sessions that lack a corresponding successful authentication event, unexpected source IP addresses, and connections from regions you do not operate in.
-
Rotate and revoke. After patching, rotate the affected certificate and any credentials that may have been exposed through an unauthorized VPN session.
Here are your options ranked by how completely they close the hole, so you can pick based on what you can do tonight:
| Action | Closes the flaw? | Downtime | When to use it |
|---|---|---|---|
| Upgrade PAN-OS to a fixed release | Yes, fully | Maintenance window | Always, this is the real fix |
| Disable authentication override | Yes, while disabled | Re-auth prompts for users | Cannot patch immediately |
| Dedicated certificate for override cookie | Yes, removes the exposure path | Minimal | Cannot patch and need override on |
| Rely on MFA alone | No | None | Not sufficient, the cookie is forged |
Why VPN appliances keep getting hit
Internet-facing VPNs and firewalls sit at the perimeter, hold privileged network position, and are often patched slowly because they are "always on." That combination makes them the single most attractive target for both ransomware crews and state-aligned actors. The same logic that drove mass exploitation of other edge devices applies here. If you want to understand the broader pattern, our breakdowns of the Fortinet FortiCloud SSO auth bypass and the SonicWall SSLVPN mass exploitation by Akira show the same edge-device playbook in action.
The defensive lesson is consistent: minimize the attack surface, patch perimeter gear first, and pair every VPN with phishing-resistant MFA so a single bypassed control does not equal full access.
What to do tonight
If you run an internet-facing GlobalProtect portal or gateway, do not wait for the next maintenance window:
- Note your running PAN-OS version and check it against the official CVE-2026-0257 advisory.
- Determine whether authentication override is enabled and whether its certificate is shared with your public HTTPS interface. If both are true, you are vulnerable.
- Upgrade to a fixed PAN-OS release. This is the only complete fix.
- If you genuinely cannot patch tonight, disable authentication override or issue a dedicated certificate for it as a stopgap.
- Pull GlobalProtect logs and look for sessions with no matching successful authentication, unfamiliar source IPs, and connections from regions you do not operate in.
- After patching, rotate the affected certificate and any credentials a forged session could have reached.
Frequently asked questions
Does MFA protect me from CVE-2026-0257?
Not on its own. The bypass forges a session cookie rather than guessing credentials, so it can sidestep the authentication step entirely. MFA still matters for the broader environment, but for this specific flaw, patching and fixing the certificate configuration are what stop it.
How do I know if my certificate is shared?
In the PAN-OS configuration, check which certificate is bound to the GlobalProtect authentication override setting and compare it to the certificate used for the public HTTPS or management interface. If they are the same object, you meet the vulnerable condition.
My firewall is internal only. Am I safe?
The risk drops sharply if the GlobalProtect portal and gateway are not reachable from the internet, but you should still patch. Internal-only does not mean threat-free, and lateral movement from a compromised endpoint could reach the device.
What if I already see suspicious VPN sessions?
Treat the device as potentially compromised. Patch, rotate certificates and credentials, force-disconnect active sessions, and begin an incident-response review of what the unauthorized session could have reached. Our ransomware first-hour incident response guide covers the immediate containment steps.
Sources & further reading
- security.paloaltonetworks.com/CVE-2026-0257
- unit42.paloaltonetworks.com/active-exploitation-of-pan-os-cve-2026-0257/
- rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/
- bleepingcomputer.com/news/security/palo-alto-globalprotect-vpn-auth-bypass-flaw-now-exploited-in-attacks/
