High‑Severity Auth Bypass in Palo Alto GlobalProtect VPN (CVE‑2026‑0257) Actively Exploited
What It Is – Palo Alto Networks disclosed an authentication‑override cookie flaw in PAN‑OS GlobalProtect (CVE‑2026‑0257) that allows an attacker to bypass VPN login controls and establish an unauthorized connection.
Exploitability – Initially rated Medium because it required a specific configuration, the flaw was re‑rated High after Rapid7 observed active exploitation in the wild. No public PoC is required; attackers forge authentication‑override cookies and target the local admin account.
Affected Products – PAN‑OS GlobalProtect portal and gateway on any Palo Alto Networks firewall where authentication‑override cookies are enabled and the same certificate is reused for HTTPS and cookie signing.
TPRM Impact – A compromised VPN gateway can give a third‑party vendor a foothold inside a client’s internal network, exposing data and enabling lateral movement. Organizations that rely on Palo Alto GlobalProtect as a security‑perimeter service face supply‑chain risk if the vendor’s devices are not patched promptly.
Recommended Actions –
- Verify that all GlobalProtect appliances are running the patch released in May 2026.
- Disable authentication‑override cookies unless absolutely required.
- Use distinct certificates for HTTPS services and for cookie signing.
- Conduct an inventory of all PAN‑OS devices and confirm configuration compliance.
- Monitor for anomalous VPN connections and enforce MFA on GlobalProtect logins.
Source: BleepingComputer – Palo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks