Full Report
A vulnerability has been discovered in the GlobalProtect portal and gateway of PAN-OS which could allow for authentication bypass. The PAN-OS GlobalProtect Portal acts as the central control plane for Palo Alto Networks VPN infrastructure. Successful exploitation of the vulnerability allows the attacker to bypass security restrictions and establish an unauthorized VPN connection.
Analysis Summary
# Vulnerability: PAN-OS GlobalProtect Authentication Bypass
## CVE Details
- **CVE ID:** CVE-2026-0257
- **CVSS Score:** Not explicitly listed in the advisory, but categorized as **HIGH** severity.
- **CWE:** Not specified (Technical summary indicates Authentication Bypass).
## Affected Systems
- **Products:**
- Palo Alto Networks PAN-OS
- Palo Alto Networks Prisma Access
- **Versions:**
- **PAN-OS 11.2:** Versions prior to 11.2.4-h17, 11.2.7-h14, 11.2.10-h7, and 11.2.12
- **PAN-OS 11.1:** Versions prior to 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15
- **PAN-OS 10.2:** Versions prior to 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6
- **Prisma Access:** Versions 11.2.0 < 11.2.7-h13 and 10.2.0 < 10.2.10-h36
- **Configurations:** Firewalls must have the **GlobalProtect portal or gateway** configured, **authentication override cookies** enabled, and a **specific certificate configuration** present.
## Vulnerability Description
An authentication bypass vulnerability exists in the GlobalProtect portal and gateway components of PAN-OS. The flaw allows an unauthenticated remote attacker to circumvent security restrictions and establish an unauthorized VPN connection. This is achieved by exploiting the way the system handles authentication override cookies in conjunction with specific certificate settings.
## Exploitation
- **Status:** **Exploited in the wild.** CISA has added this to the Known Exploited Vulnerabilities (KEV) Catalog.
- **Complexity:** Not specified, but likely Low to Medium given the active exploitation.
- **Attack Vector:** **Network** (Remote)
## Impact
- **Confidentiality:** **High** (Attacker can view/exfiltrate data).
- **Integrity:** **High** (Attacker can install programs, change or delete data).
- **Availability:** **High** (Potential for unauthorized execution of scripts and system disruption).
## Remediation
### Patches
Palo Alto Networks has released several hotfix versions to address this flaw. Administrators should upgrade to the following minimum versions or higher:
- **PAN-OS 11.2:** 11.2.4-h17, 11.2.7-h14, 11.2.10-h7, or 11.2.12
- **PAN-OS 11.1:** 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, or 11.1.15
- **PAN-OS 10.2:** 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, or 10.2.18-h6
### Workarounds
- Disable authentication override cookies in GlobalProtect portal/gateway settings if patching cannot be performed immediately.
- Implement strict network segmentation to limit the reach of unauthorized VPN connections.
## Detection
- **Indicators of Compromise:** Monitor for unauthorized VPN connections in GlobalProtect logs, especially those originating from unexpected IP addresses or using anomalous certificate attributes.
- **Detection methods and tools:**
- Review PAN-OS logs for unexpected authentication successes related to override cookies.
- Utilize vulnerability scanners with updated signatures for CVE-2026-0257.
## References
- **CISA KEV:** hxxps://www.cisa[.]gov/news-events/alerts/2026/05/29/cisa-adds-one-known-exploited-vulnerability-catalog
- **Palo Alto Advisory:** hxxps://security.paloaltonetworks[.]com/CVE-2026-0257
- **CVE Mitre:** hxxps://cve.mitre[.]org/cgi-bin/cvename.cgi?name=CVE-2026-0257
- **Rapid7 Analysis:** hxxps://www.rapid7[.]com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/