HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

High‑Severity Auth Bypass in Palo Alto GlobalProtect VPN (CVE‑2026‑0257) Actively Exploited

Palo Alto Networks reports that CVE‑2026‑0257, an authentication‑override cookie flaw in GlobalProtect VPN, is being actively exploited against unpatched PAN‑OS devices. The vulnerability enables attackers to forge VPN credentials and gain unauthorized network access, creating a supply‑chain risk for organizations that depend on Palo Alto as a security service provider.

LiveThreat™ Intelligence · 📅 May 31, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
5 recommended
📰
Source
bleepingcomputer.com

High‑Severity Auth Bypass in Palo Alto GlobalProtect VPN (CVE‑2026‑0257) Actively Exploited

What It Is – Palo Alto Networks disclosed an authentication‑override cookie flaw in PAN‑OS GlobalProtect (CVE‑2026‑0257) that allows an attacker to bypass VPN login controls and establish an unauthorized connection.

Exploitability – Initially rated Medium because it required a specific configuration, the flaw was re‑rated High after Rapid7 observed active exploitation in the wild. No public PoC is required; attackers forge authentication‑override cookies and target the local admin account.

Affected Products – PAN‑OS GlobalProtect portal and gateway on any Palo Alto Networks firewall where authentication‑override cookies are enabled and the same certificate is reused for HTTPS and cookie signing.

TPRM Impact – A compromised VPN gateway can give a third‑party vendor a foothold inside a client’s internal network, exposing data and enabling lateral movement. Organizations that rely on Palo Alto GlobalProtect as a security‑perimeter service face supply‑chain risk if the vendor’s devices are not patched promptly.

Recommended Actions

  • Verify that all GlobalProtect appliances are running the patch released in May 2026.
  • Disable authentication‑override cookies unless absolutely required.
  • Use distinct certificates for HTTPS services and for cookie signing.
  • Conduct an inventory of all PAN‑OS devices and confirm configuration compliance.
  • Monitor for anomalous VPN connections and enforce MFA on GlobalProtect logins.

Source: BleepingComputer – Palo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks

📰 Original Source
https://www.bleepingcomputer.com/news/security/palo-alto-globalprotect-vpn-auth-bypass-flaw-now-exploited-in-attacks/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →