F PaloAlto Global Protect Vulnerability : CVE‑2026‑0257 - The Network DNA: Networking, Cloud, and Security Technology Blog
Home / Paloalto / vulnerability / Vulnerability assessment / PaloAlto Global Protect Vulnerability : CVE‑2026‑0257

PaloAlto Global Protect Vulnerability : CVE‑2026‑0257

June 02, 2026 , ,

 

PaloAlto Global Protect Vulnerability : CVE‑2026‑0257

🔐 What is PaloAlto GP Vulnerability CVE‑2026‑0257 ?

From your internal advisory:

  • It is a GlobalProtect authentication bypass vulnerability in Palo Alto PAN‑OS 
  • It allows attackers to bypass login controls under certain configurations

From vendor/security sources:

  • The flaw allows an attacker to bypass authentication and establish an unauthorized VPN connection 
  • It specifically affects:
    • GlobalProtect portal
    • GlobalProtect gateway
  • Attack works without valid credentials or user interaction 

⚠️ Why it’s critical (real-world impact)

1. Direct access into your network

  • Exploitation lets attackers connect via VPN as if they were legitimate users 
  • This can expose internal systems because VPN traffic is typically trusted.

2. Edge-facing exposure

  • This vulnerability targets internet-facing firewalls / VPN gateways, which are high‑value entry points. 

3. Active exploitation

  • Attackers began exploiting it within days of disclosure (around May 17, 2026) 
  • It is now:
    • Added to CISA Known Exploited Vulnerabilities (KEV) 
    • Observed in multiple customer environments 

4. Severity evolution

  • Initially rated Medium internally 
  • Updated to:
    • CVSS ~7.8 (High) 
    • Some security teams are treating it as effectively critical due to exploitation 

🧠 Root cause (simplified)

  • The vulnerability is related to authentication override cookies
  • Systems may:
    • Accept forged or improperly validated cookies
    • Treat unauthenticated users as authenticated

➡️ Result: attacker skips login and gets a session.

🎯 When YOUR environment is vulnerable

Based on both your internal notice and vendor advisory:

You are exposed if:

  • GlobalProtect is enabled (portal or gateway)
  • Authentication override cookies are enabled
  • Specific certificate configuration is present 

👉 This aligns exactly with your internal note requiring:

  • Dedicated authentication certificates
  • PAN‑OS upgrades 

🛠️ Required actions (specific to your environment)

From your internal ITS notification:

Mandatory actions

  • Upgrade PAN‑OS on all NGFWs
  • Implement dedicated certificate for authentication override cookies

Vendor-recommended mitigations

  • Upgrade to fixed PAN‑OS versions
  • Or:
    • Disable authentication override
    • Use a secure, dedicated certificate for cookies

🧩 TLDR (for quick discussion with your team)

  • CVE‑2026‑0257 = GlobalProtect auth bypass
  • Impact:
    • Unauthorized VPN access
    • Potential internal network exposure
  • Status:
    • ✅ Actively exploited
    • ✅ High urgency (KEV-listed)
  • Risk driver:
    • Cookie-based authentication override
  • Action:
    • 🚨 Patch immediately + fix certificate/config