Active Exploitation of Palo Alto Networks PAN‑OS Authentication Bypass (CVE‑2026‑0257) Threatens GlobalProtect VPNs
What It Is — A critical authentication‑bypass flaw in the GlobalProtect portal and gateway of Palo Alto Networks PAN‑OS (CVE‑2026‑0257) that lets an attacker forge VPN cookies and obtain admin‑level access without any credentials.
Exploitability — Rapid7 observed active exploitation within days of the vendor’s patch; a publicly disclosed proof‑of‑concept script demonstrates full compromise in seconds. CVSS 7.8 (High).
Affected Products — Palo Alto Networks PAN‑OS 9.x/10.x GlobalProtect portal and gateway. Panorama and Cloud NGFW deployments are not impacted.
TPRM Impact — Organizations that rely on Palo Alto firewalls as a third‑party security service face a supply‑chain foothold: attackers can tunnel into internal networks, bypass perimeter controls, and potentially move laterally to sensitive systems.
Recommended Actions —
- Apply Palo Alto’s May 13 2026 patch to all PAN‑OS devices immediately.
- Separate and rotate certificates used for HTTPS and cookie encryption; avoid re‑using the same cert for both functions.
- Enforce multi‑factor authentication for all GlobalProtect VPN logins.
- Enable detailed logging of GlobalProtect authentication events and monitor for forged‑cookie signatures or spoofed MAC addresses.
- Conduct an inventory of all GlobalProtect deployments, verify patch level, and remediate any out‑of‑date appliances.
Source: Security Affairs