Home Briefings CVE-2026-0257: PAN-OS GlobalProtect Authentication Bypass Under Active Exploitation — CISA Deadline Today
Flash Briefing high FinanceHealthcareCritical InfrastructureCommunicationsTransport

CVE-2026-0257: PAN-OS GlobalProtect Authentication Bypass Under Active Exploitation — CISA Deadline Today

Adversary Wire · ·3 min read

Attackers are actively exploiting a Palo Alto Networks PAN-OS authentication bypass vulnerability to establish unauthorised VPN connections to enterprise networks. CISA added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog on 29 May 2026 and set a remediation deadline of 1 June 2026 for federal civilian agencies — a deadline that falls today. Rapid7’s MDR team confirmed successful exploitation across multiple enterprise customers, with activity beginning as early as 17 May.

What the Vulnerability Does

CVE-2026-0257 (CVSS 7.8) is an authentication bypass in the GlobalProtect portal and gateway components of PAN-OS. When authentication override cookies are enabled on a firewall and a specific certificate configuration is present, an attacker can forge override cookies to authenticate as the local administrator account and establish a full VPN connection to the internal network — without valid credentials.

Panorama and Cloud NGFW are not affected. The vulnerability is specific to physical and VM-series firewalls with GlobalProtect portal or gateway enabled.

Observed Exploitation Pattern

Rapid7 tracked two distinct exploitation waves:

  • Wave 1 (18 May): Originating from infrastructure on Vultr, attackers used forged authentication override cookies to authenticate to GlobalProtect gateways as the local admin account, using machine name GP-CLIENT and a spoofed MAC address (aa:bb:cc:dd:ee:ff).
  • Wave 2 (21 May): Activity from Dromatics Systems hosting, with some victims receiving full VPN IP assignments following cookie-based authentication.

In both waves, attackers successfully connected to internal networks via VPN, achieving network-level access equivalent to a fully authenticated remote user. Rapid7 did not observe lateral movement from compromised devices in the reported incidents, but network-level access of this kind provides the foothold from which lateral movement typically follows.

Palo Alto Networks disclosed the flaw on 13 May 2026 and updated its advisory on 29 May when exploitation was confirmed in the wild.

Affected Versions

All PAN-OS deployments with GlobalProtect portal or gateway enabled should be treated as potentially affected unless they have been patched. Key vulnerable ranges:

  • PAN-OS 11.1: versions prior to 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, or 11.1.15
  • PAN-OS 10.2: versions prior to 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, or 10.2.18-h6
  • PAN-OS 9.0, 9.1, 10.0: affected and will not receive patches (end-of-life)

Organisations running end-of-life PAN-OS versions have no patching path and must apply workaround mitigations immediately.

Sector Relevance

GlobalProtect is one of the most widely deployed enterprise VPN solutions across sectors Adversary Wire covers. Finance, healthcare, utilities, transport and logistics, and telecommunications organisations that rely on GlobalProtect for remote access and site-to-site connectivity are all potentially in scope. The attack surface is particularly significant in organisations that have not reviewed their authentication override configuration since initial deployment — a common gap when firewall policies were set up during rapid remote-working expansions in prior years.

  1. Patch immediately. Apply the relevant fixed PAN-OS version from those listed above. Treat this as urgent regardless of CISA’s federal deadline.

  2. Disable authentication override if not required. If GlobalProtect authentication override cookies are not actively needed, disabling the feature eliminates the attack surface entirely. Review whether this feature was enabled by default or by deliberate configuration.

  3. Generate a new dedicated certificate. If authentication override is required, generate a new certificate used exclusively for that feature and reconfigure accordingly — this prevents forged cookies from working against your current certificate.

  4. Check for indicators. Review GlobalProtect gateway authentication logs for authentications using the local admin account, unusual machine names (e.g. GP-CLIENT), or MAC addresses matching aa:bb:cc:dd:ee:ff. These are specific indicators from the observed exploitation waves.

  5. Upgrade end-of-life PAN-OS. Organisations on PAN-OS 9.x or 10.0 must migrate to a supported release. No security patches are forthcoming for those versions.

Active exploitation of edge-facing VPN appliances is among the highest-value initial access vectors for both nation-state actors and ransomware operators. If your organisation has GlobalProtect deployed and has not applied patches since 13 May, assume you need to patch today.

Sources

Related Intelligence

Briefing Finance

Android Zero-Day Exploitation Confirmed: June 2026 Bulletin Signals Commercial Spyware Activity

Analysis Communications

Harvester APT: South Asia Espionage Expands to Linux With Graph API Command-and-Control

Briefing Finance

Operation Dragon Weave: China-Linked APT Abuses Azure Blob Storage as C2 to Target European Governments and Finance