PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation

Published:

30 mei 2026 om 06:41:26

Alert date:

30 mei 2026 om 08:00:45

Source:

thehackernews.com

Network Infrastructure, Zero-Day Vulnerabilities, Identity & Access

Palo Alto Networks has warned about active exploitation of CVE-2026-0257, a medium-severity authentication bypass vulnerability affecting PAN-OS and Prisma Access. The flaw has a CVSS score of 7.8 and allows attackers to bypass authentication to establish VPN connections through GlobalProtect. The vulnerability is currently being exploited in the wild by threat actors targeting the authentication mechanisms in PAN-OS systems.

Technical details

Authentication bypass vulnerability in GlobalProtect portal and gateway of PAN-OS software allows attackers to bypass security restrictions and establish unauthorized VPN connections. The issue affects firewalls with GlobalProtect portal or gateway configured when authentication override cookies are enabled and a specific certificate configuration exists. Exploitation involves VPN IP assignment following cookie authentication, granting attackers access to internal networks.

Mitigation steps:

Upgrade to vendor supplied patch on an urgent basis
Disable the authentication override feature as temporary mitigation
Generate a new certificate to use exclusively for the authentication override feature

Affected products:

Palo Alto Networks PAN-OS
Prisma Access
GlobalProtect portal
GlobalProtect gateway
FortiClient Endpoint Management Server (EMS)