Overview
Palo Alto Networks PAN-OS authentication bypass vulnerability CVE-2026-0257, affecting PAN-OS and Prisma Access, is now being actively exploited in the wild, with CISA adding it to the Known Exploited Vulnerabilities (KEV) catalog on May 29, 2026.
CISA’s KEV cataloging requires U.S. Federal Civilian Executive Branch agencies to remediate the vulnerability by the catalog deadline, under Binding Operational Directive 22-01. Federal agencies must apply vendor-supplied fixes by June 19, 2026.
Vulnerability Details
The vulnerability, tracked as CVE-2026-0257 with a CVSS score of 7.8, is an authentication bypass that could be exploited by threat actors to set up unauthorized VPN connections. Per Palo Alto Networks’ advisory released May 13, 2026: authentication bypass vulnerabilities in the GlobalProtect portal and gateway allow the attacker to bypass security restrictions and establish an unauthorized VPN connection.
Root Cause & Trigger Condition
The vulnerability exists in a non-default feature called “authentication override,” which allows GlobalProtect portals and gateways to issue session cookies to authenticated users — similar to a bearer token — so users don’t need to re-authenticate each session.
The flaw is triggered only when the certificate used to encrypt and decrypt authentication override cookies is shared with another feature, such as the HTTPS service of the portal or gateway.
CWE Classification
The root cause is classified as CWE-565: Reliance on Cookies without Validation and Integrity Checking. With the fix applied, if the firewall is configured to use an authentication override cookie for GlobalProtect Portal or Gateway, it will regenerate the cookie using a more secure method.
Scope
Panorama and Cloud NGFW are not impacted by this vulnerability.
Exploitation Activity
Rapid7 MDR identified successful exploitation across numerous customers. The earliest confirmed exploitation date was May 17, 2026 — four days after initial advisory publication. Rapid7 MDR observed a second exploitation wave on May 21. Due to a consistent MAC address across both waves, Rapid7 assessed both incidents are likely attributable to the same threat actor, with the second wave originating from hosting provider Dromatics Systems.
While the assigned CVSSv4 score indicates medium severity, Rapid7 urges organizations to treat this as a critical vulnerability. An authentication bypass in an edge-facing enterprise VPN appliance carries significant potential impact.
In an update to its advisory on May 29, 2026, Palo Alto Networks stated it has become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied.
A public proof-of-concept exploit script is now available, with Rapid7 Labs having validated a successful PoC.
Affected Versions
Affected products must have the authentication override feature enabled in either the GlobalProtect portal or gateway, and must reuse the authentication override cookie encryption and decryption certificate with another feature in order to be vulnerable.
Older, end-of-life versions — PAN-OS 9.0, 9.1, and 10.0 — are also vulnerable but will not receive patches. Customers on those releases must migrate to a supported branch immediately.
Detection
Rapid7 InsightIDR and MDR customers can deploy the detection rule: Suspicious Authentication — Palo Alto GlobalProtect Cookie Authentication to Local Admin Account.
Mitigation & Remediation
Palo Alto Networks recommends the following:
- Patch immediately — Apply vendor-supplied fixes per the security advisory (PAN-SA-2026-0012). Panorama and Cloud NGFW do not require patching for this issue.
- Disable Authentication Override — Uncheck the Authentication Override options (for generating and accepting cookies) in the GlobalProtect portal and gateway configuration.
- Limit exposure — Restrict GlobalProtect portal and gateway access from the public internet using upstream ACLs where feasible. Require client certificates in addition to user credentials for GlobalProtect authentication. Monitor and rate-limit connections to GlobalProtect endpoints to slow automated bypass attempts.
- EOL migration — Customers still on PAN-OS 9.0, 9.1, or 10.0 must migrate to a supported branch immediately.
Analyst Note
This is the second PAN-OS KEV addition in under a month — CVE-2026-0300 was cataloged on May 6. The CVSS score of 7.8 here is misleading; edge-facing VPN appliances with auth bypass that have a public PoC and confirmed in-the-wild exploitation warrant critical-tier response. The 16-day gap from advisory to confirmed exploitation — with a second wave already observed — indicates active, organized threat actor interest. Organizations still running GlobalProtect on EOL PAN-OS branches have no patch path and must migrate urgently.
