Security Intelligence
Loading table of contents...
At a glance: The US Cybersecurity and Infrastructure Security Agency (CISA) added a vulnerability affecting the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS software to the KEV catalog. A newly exploited flaw in Palo Alto Networks PAN-OS, tracked as CVE-2026-0257, enables unauthorized VPN access through forged GlobalProtect authentication cookies. Exploitation began within days of disclosure and continues to target unpatched systems across multiple environments.
Threat summary
On May 29, CISA added a vulnerability affecting the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS software to its Known Exploited Vulnerabilities (KEV) catalog.
Palo Alto Networks confirmed active exploitation and updated its advisory, originally published with patches on May 13. Researchers observed the first exploitation activity on May 17, 2026, followed by a second wave on May 21, 2026. Activity continued over multiple weeks and relied on consistent infrastructure, indicating a single threat actor.
CVE-2026-0257 affects the GlobalProtect portal and gateway components of Palo Alto Networks PAN-OS, the operating system used in Palo Alto firewalls. GlobalProtect provides remote access virtual private network (VPN) connectivity into enterprise environments. Palo Alto’s Panorama and Cloud Next-Generation Firewall deployments are not impacted.
The flaw is in the authentication override feature. Under specific configurations, the system accepts decrypted authentication cookies without validating their signatures. Affected versions include:
- PAN-OS 12.1 before 12.1.4-h6 and 12.1.7
- PAN-OS 11.2 before 11.2.4-h17, 11.2.7-h14, 11.2.10-h7, 11.2.12
- PAN-OS 11.1 before 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, 11.1.15
- PAN-OS 10.2 before 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, 10.2.18-h6
- Prisma Access 11.2.0: versions before than 11.2.7-h13
- Prisma Access 10.2.0: versions before than 10.2.10-h36
The vulnerability enables a threat actor to forge authentication cookies and establish unauthorized VPN sessions without valid credentials. This grants access to internal networks through a trusted perimeter control.
Observed exploitation involved cookie-based authentication to local administrator accounts from cloud infrastructure. In some cases, devices assigned virtual private network addresses which enabled internal access.
The initial Common Vulnerability Scoring System rating was 7.8 (high). On June 1, 2026, the National Vulnerability Database assigned a score of 9.1 (critical).
Analysis
This issue affects firewalls with GlobalProtect portal or gateway configured when authentication override cookies are enabled and a specific certificate configuration exists.
Mitigation recommendations include upgrading to the patched PAN-OS versions released on May 13, 2026. Disabling authentication override cookies or regenerating certificates used for override functionality reduces exposure when patching is not immediately possible. Continuous monitoring of GlobalProtect authentication logs for cookie‑based logins supports detection.
Organizations can reduce risk by validating GlobalProtect configurations, confirming operational need for authentication override cookies, and reviewing remote access policies for unnecessary exposure. Strengthening monitoring around edge virtual private network appliances and correlating authentication events with expected user behavior supports early identification of unauthorized access.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
