HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Active Exploitation of Palo Alto GlobalProtect Auth‑Bypass (CVE‑2026‑0257) Enables Unauthorized VPN Access

Palo Alto Networks confirmed that attackers are actively exploiting CVE‑2026‑0257, a flaw in GlobalProtect that lets unauthenticated users forge VPN cookies and bypass authentication. The issue highlights the need for rigorous SOC 2 control mapping and continuous evidence to prove secure access management.

LiveThreat™ Intelligence · 📅 June 15, 2026· 📰 securityaffairs.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
5 recommended
📰
Source
securityaffairs.com

Active Exploitation of Palo Alto GlobalProtect Auth‑Bypass (CVE‑2026‑0257) Enables Unauthorized VPN Access

What It Is — CVE‑2026‑0257 is an authentication‑bypass flaw in the GlobalProtect portal and gateway components of Palo Alto Networks PAN‑OS. The vulnerability allows an attacker to forge a valid authentication cookie and gain VPN access without any credentials.

Exploitability — Active exploitation has been confirmed by Palo Alto and Rapid7; a proof‑of‑concept script can obtain the public key from a mis‑used certificate, forge a cookie, and log in within seconds. The flaw is listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.

Affected Products — Palo Alto Networks PAN‑OS (GlobalProtect portal & gateway). Panorama and Cloud NGFW deployments are not affected.

Why It Matters for Compliance & Audit Readiness

  • Misconfiguration‑driven bypass defeats SOC 2 CC6.1 (Logical Access Control) and CC6.2 (Network Access Control) controls, exposing gaps in your access‑management evidence.
  • Continuous control mapping and automated evidence collection are required to prove that authentication mechanisms are properly segmented and that certificate usage is audited.
  • Enterprise buyers now demand demonstrable SOC 2 compliance; a known‑exploited flaw in a core VPN service can invalidate audit assertions if not remediated and documented.

Recommended Actions

  • Apply Palo Alto’s May 13 2026 patch immediately and verify version compliance across all GlobalProtect appliances.
  • Separate the TLS certificate used for HTTPS from the one used for cookie encryption; rotate keys and revoke any duplicated certificates.
  • Conduct a SOC 2 control mapping exercise for CC6.1/CC6.2, capturing configuration snapshots and patch‑status logs as audit evidence.
  • Enable continuous monitoring of GlobalProtect authentication logs for anomalous cookie‑based logins.
  • Document the remediation steps in your vendor‑risk and change‑management processes to satisfy audit reviewers.

Source: Security Affairs – Palo Alto Warns of Exploitation of VPN Bypass Exploits (CVE‑2026‑0257)

📰 Original Source
https://securityaffairs.com/193638/security/palo-alto-warns-of-exploitation-of-vpn-bypass-exploits-cve-2026-0257-in-pan-os-flaw.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →