HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Authentication Bypass Vulnerability in Palo Alto Networks PAN‑OS Enables Unauthorized VPN Access

A CVE‑2026‑0257 flaw in PAN‑OS GlobalProtect lets attackers bypass authentication and open rogue VPN tunnels. Government agencies and midsize enterprises that rely on these firewalls face elevated risk, highlighting the need for SOC 2‑aligned access‑control evidence and rapid patching.

LiveThreat™ Intelligence · 📅 June 23, 2026· 📰 cisecurity.org
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
cisecurity.org

Vulnerability in PAN‑OS GlobalProtect Allows Authentication Bypass

What Happened — A flaw (CVE‑2026‑0257) in the GlobalProtect portal and gateway of Palo Alto Networks PAN‑OS lets an attacker bypass authentication and establish an unauthorized VPN connection. Limited exploit attempts have already been observed on unpatched devices, prompting CISA to add the issue to its KEV catalog.

Why It Matters for Compliance & Audit Readiness

  • The scenario maps directly to SOC 2 CC6.1 (Logical Access) and CC6.2 (User Authentication) – controls that must prevent unauthorized remote access and be continuously evidenced.
  • Continuous‑compliance programs need real‑time vulnerability management and proof that patches are applied, otherwise audit evidence for “access control effectiveness” is weak.
  • Demonstrating that you have a documented, tested process for rapid remediation of authentication‑related flaws satisfies both the “Risk Management” and “Security” trust principles.

Who Is Affected — Large and medium government agencies, large and medium enterprises (especially those relying on VPN for remote work), and any organization using PAN‑OS 10.2, 11.1, or 11.2 series firewalls.

Recommended Actions

  • Prioritize patching to the latest PAN‑OS releases listed in the advisory; validate in a test environment before production rollout.
  • Verify that authentication‑override cookies are disabled or tightly controlled; review certificate configurations that trigger the bypass.
  • Update your SOC 2 access‑control evidence: capture patch‑deployment logs, VPN‑connection audit trails, and any compensating controls (e.g., MFA enforcement).
  • Integrate the vulnerability into your continuous‑monitoring platform to generate alerts for any future unpatched instances.

Source: CIS Advisory 2026‑062

Technical Notes — The flaw resides in the GlobalProtect portal/gateway when authentication‑override cookies are enabled and a specific certificate profile is present. Exploitation falls under ATT&CK T1190 (Exploit Public‑Facing Application) and can lead to lateral movement, data exfiltration, or script execution. Source: same advisory

📰 Original Source
https://www.cisecurity.org/advisory/a-vulnerability-in-pan-os-could-allow-for-authentication-bypass_2026-062

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Access is where most audits get tested.

Verisq AI Trust Operations maps incidents like this to your access controls and collects the evidence continuously, keeping your SOC 2 posture defensible.

See where you'd stand with Verisq AI Trust Operations →