Breaking: PAN-OS GlobalProtect VPN Auth Bypass — Actively Exploited
PAN-OS GlobalProtect VPN Authentication Bypass — Actively Exploited
Palo Alto Networks has confirmed limited active exploitation of CVE-2026-0257, a critical authentication bypass vulnerability in PAN-OS GlobalProtect. CISA added it to the Known Exploited Vulnerabilities catalog on May 29 with a remediation deadline of June 1 (already passed).
The vulnerability allows unauthenticated attackers to bypass security restrictions and establish unauthorized VPN connections to affected firewalls. CVSS v3.1 score: 9.1 (Critical). CVSS v4.0 score: 7.8.
This affects firewalls with GlobalProtect portal or gateway configured where authentication override cookies are enabled alongside a specific certificate configuration. The attack surface is significant: any organisation using GlobalProtect for remote access with cookie-based authentication override is potentially exposed. Palo Alto Networks has confirmed "limited exploit attempts on unpatched PAN-OS devices without mitigations applied."
Affected Versions
Extremely broad. PAN-OS 10.2 through 12.1, covering most currently deployed versions. The full affected list spans dozens of hotfix levels across 10.2.x, 11.1.x, 11.2.x, and 12.1.x branches. Prisma Access is being patched automatically according to Palo Alto's upgrade schedule.
Mitigation Before Patching
Palo Alto recommends disabling authentication override cookies as an interim measure. To check: Network > GlobalProtect > Gateways > Agent tab > Client Settings > Authentication Override tab. If "Accept cookie for authentication override" is checked, you are exposed. Disabling it immediately reduces risk, though it forces users to re-authenticate on every connection rather than using cached cookies.
Why This Matters
This is the pattern that keeps repeating: perimeter VPN appliances as the entry point for network compromise. An authentication bypass on GlobalProtect is not just another CVE to schedule patching for. It is an open door through your perimeter. The CISA KEV deadline of June 1 has already passed, and Palo Alto's own language about "limited exploit attempts" should be read as: someone is already using this, and the window between disclosure and widespread exploitation is measured in days, not weeks.
Patching is not optional here. Audit your GlobalProtect configuration immediately. If authentication override cookies are enabled, either apply the relevant hotfix or disable the feature now. Check logs for unexplained VPN sessions from unusual sources predating the patch window.