CVE-2026-0257

What is PAN-OS GlobalProtect?

Palo Alto Networks PAN-OS is the operating system powering Palo Alto's next-generation firewall (NGFW) appliances. GlobalProtect is the VPN and Zero Trust Network Access (ZTNA) component built into PAN-OS, used by enterprises to extend secure network access to remote users. The GlobalProtect portal authenticates users and distributes configuration; the gateway enforces policy and provides the tunnel endpoint. GlobalProtect is among the most widely deployed enterprise VPN solutions globally, making internet-facing PAN-OS firewalls a high-value target for initial access.

Overview

CVE-2026-0257 is a pre-authentication bypass in the GlobalProtect portal and gateway in PAN-OS and Prisma Access. An unauthenticated remote attacker can forge a valid GlobalProtect authentication override cookie and establish an unauthorized VPN connection — gaining access to the protected network without supplying any credentials.

The flaw was added to CISA's Known Exploited Vulnerabilities catalog on May 29, 2026, four days after exploitation was first confirmed in the wild. Rapid7 MDR identified successful exploitation across numerous customers and rated it HIGHEST urgency — above Palo Alto's own CVSS 4.0 score of 7.8 HIGH — due to confirmed mass exploitation.

Affected Versions

Prisma Access:

Panorama and Cloud NGFW are not affected. Applying the patch invalidates all existing authentication override cookies — users must re-authenticate to GlobalProtect after the upgrade.

Technical Details

PAN-OS GlobalProtect supports an "authentication override cookie" feature: after a user successfully authenticates to the portal or gateway, the firewall issues an encrypted cookie that allows subsequent connections to skip re-authentication, improving the SSO experience for remote VPN users.

The cookie is encrypted using a certificate configured on the firewall. The CWE-565 failure arises when the same certificate is reused for a second service — most commonly the HTTPS management interface or the GlobalProtect web portal itself. In that configuration, the certificate's public key is accessible to any client connecting to the HTTPS service.

An attacker can exploit this in a straightforward sequence:

1. Connect to the public-facing HTTPS service and extract the certificate's public key.
2. Craft a forged authentication override cookie using the extracted key.
3. Present the forged cookie to the GlobalProtect portal or gateway.
4. Receive a valid VPN session — the firewall decrypts the cookie and trusts it, never verifying that it was issued as the result of a genuine prior authentication event.

The server-side failure is the absence of a provenance check: the firewall validates decryptability only, not whether the cookie was legitimately issued. The patch regenerates cookies using a dedicated certificate isolated exclusively to this purpose, severing the public-key extraction path.

Attack characteristics:

• No authentication required
• Network-accessible from the internet (any exposed GlobalProtect portal)
• Low complexity — no race conditions, no special environment required
• Establishes a full unauthorized VPN session in a single step

The closely related CVE-2026-0265 covers a variant that applies when Cloud Authentication Service (CAS) is enabled; CVE-2026-0257 applies when CAS is disabled and authentication override cookies are enabled. Rapid7 forensic analysis confirmed CVE-2026-0257 specifically in affected customers by identifying CAS-disabled configurations in PAN-OS tech support files.

Discovery

Identified by Palo Alto Networks' internal security research team. No external researcher or bug-bounty attribution has been published.

Exploitation Context

Exploitation was confirmed beginning May 17, 2026 — four days after the advisory was published — with a second wave observed May 21. Rapid7 MDR observed successful exploitation across numerous customers. Rapid7 Labs validated a working proof-of-concept.

In the initial wave, threat actors established unauthorized VPN sessions but did not appear to pivot laterally into internal networks — consistent with an access-establishment and reconnaissance phase rather than immediate follow-on compromise. Broader post-access activity should be assumed as campaigns mature.

No specific named APT or ransomware group has been attributed as of the KEV addition date. The breadth of exploitation across multiple customers suggests opportunistic scanning rather than targeted intrusions. GlobalProtect's position as one of the most widely deployed enterprise VPN solutions globally provides a large internet-facing attack surface.

Remediation

1. Patch immediately. Apply the fixed PAN-OS version for your branch (see Affected Versions above). Consult the vendor advisory for the current hotfix schedule — multiple updates were issued in the days following the May 13 advisory.
2. Notify users they must re-authenticate. The patch regenerates authentication override cookies; existing cookies are invalidated on upgrade.
3. If immediate patching is not possible — workaround A (preferred): Generate a certificate used exclusively for authentication override cookies and configure it on the GlobalProtect portal and gateway. Do not reuse it for the HTTPS service or any other feature. This breaks the public-key extraction step without disabling the convenience feature.
4. Workaround B: Disable the authentication override cookie feature entirely. In the GlobalProtect portal and gateway configurations, disable both "Generate cookie for authentication override" and "Accept cookie for authentication override." This eliminates the attack surface but requires users to re-authenticate on every VPN session.
5. Review VPN session logs for unauthorized sessions from unexpected IP addresses or geolocations, particularly during May 17–29. Look for sessions that lack a corresponding prior interactive authentication event.
6. Consult the Palo Alto KB on invalidating previously issued cookies if you suspect pre-patch exploitation in your environment.