HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Active Exploitation of Palo Alto Networks PAN‑OS Authentication Bypass (CVE‑2026‑0257) Threatens GlobalProtect VPNs

A critical authentication‑bypass vulnerability in Palo Alto Networks PAN‑OS (CVE‑2026‑0257) is being actively exploited to forge VPN cookies and gain admin access without credentials. The flaw affects GlobalProtect portal and gateway components, exposing organizations that rely on Palo Alto firewalls to unauthorized network access and supply‑chain risk.

LiveThreat™ Intelligence · 📅 June 01, 2026· 📰 securityaffairs.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
4 sector(s)
Actions
5 recommended
📰
Source
securityaffairs.com

Active Exploitation of Palo Alto Networks PAN‑OS Authentication Bypass (CVE‑2026‑0257) Threatens GlobalProtect VPNs

What It Is — A critical authentication‑bypass flaw in the GlobalProtect portal and gateway of Palo Alto Networks PAN‑OS (CVE‑2026‑0257) that lets an attacker forge VPN cookies and obtain admin‑level access without any credentials.

Exploitability — Rapid7 observed active exploitation within days of the vendor’s patch; a publicly disclosed proof‑of‑concept script demonstrates full compromise in seconds. CVSS 7.8 (High).

Affected Products — Palo Alto Networks PAN‑OS 9.x/10.x GlobalProtect portal and gateway. Panorama and Cloud NGFW deployments are not impacted.

TPRM Impact — Organizations that rely on Palo Alto firewalls as a third‑party security service face a supply‑chain foothold: attackers can tunnel into internal networks, bypass perimeter controls, and potentially move laterally to sensitive systems.

Recommended Actions

  • Apply Palo Alto’s May 13 2026 patch to all PAN‑OS devices immediately.
  • Separate and rotate certificates used for HTTPS and cookie encryption; avoid re‑using the same cert for both functions.
  • Enforce multi‑factor authentication for all GlobalProtect VPN logins.
  • Enable detailed logging of GlobalProtect authentication events and monitor for forged‑cookie signatures or spoofed MAC addresses.
  • Conduct an inventory of all GlobalProtect deployments, verify patch level, and remediate any out‑of‑date appliances.

Source: Security Affairs

📰 Original Source
https://securityaffairs.com/192951/security/u-s-cisa-adds-palo-alto-networks-pan-os-flaw-to-its-known-exploited-vulnerabilities-catalog.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Every gap like this maps to a control you can evidence.

The Verisq AI Trust Operations platform maps incidents to your control framework and collects the evidence continuously — so your Trust Center shows proof, not promises, when a buyer or auditor asks.

Explore the Verisq AI Trust Operations platform →