Bright Nexus

Published on May 30, 2026

Palo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks

Severity
High

Detail

A high-severity vulnerability has been identified in Palo Alto Networks PAN-OS software affecting GlobalProtect portals and gateways. The flaw, tracked as CVE-2026-0257, is an authentication bypass vulnerability that allows an unauthenticated attacker to bypass normal VPN authentication and establish an unauthorized GlobalProtect VPN connection. The issue is linked to GlobalProtect authentication override cookies, where vulnerable configurations may trust forged cookie contents without proper signature validation. Exploitation is more likely in environments where authentication override cookies are enabled and the same certificate is reused for both HTTPS and authentication override cookies.

Palo Alto Networks initially rated the vulnerability as Medium because exploitation requires a specific configuration, but the severity was later raised to High after active exploitation was confirmed. Rapid7 observed exploitation activity starting around 17 May 2026, where attackers used forged authentication override cookies to target GlobalProtect gateways. Successful exploitation could allow unauthorized VPN access, potential exposure of internal network resources, and further lateral movement depending on network segmentation and access controls. Organizations are strongly advised to apply the fixed PAN-OS updates, review GlobalProtect authentication override settings, avoid certificate reuse, and monitor VPN authentication logs for suspicious cookie-based activity.

CVE IDSummaryCVSS Score
CVE-2026-0257Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection.7.8 (High)

Affected Products

  • PAN-OS 10.2 — versions below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6
  • PAN-OS 11.1 — versions below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15
  • PAN-OS 11.2 — versions below 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12
  • PAN-OS 12.1 — versions below 12.1.4-h5 and 12.1.7
  • GlobalProtect portal or gateway — affected when authentication override cookies are enabled with an unsafe certificate configuration

Recommendation

  • Upgrade PAN-OS immediately to the fixed version for the affected branch.
  • Disable authentication override cookies if the feature is not required.
  • Use a dedicated certificate for authentication override cookies.
  • Do not reuse the HTTPS portal/gateway certificate for authentication override cookies.
  • Review GlobalProtect VPN logs for suspicious successful logins, abnormal cookie-based authentication, unusual source IPs, and possible lateral movement.
  • Prioritize remediation because the vulnerability is already being exploited in attacks.

Source
https://www.bleepingcomputer.com/news/security/palo-alto-globalprotect-vpn-auth-bypass-flaw-now-exploited-in-attacks/