HIGH: Palo Alto GlobalProtect Authentication Bypass Under Active Exploitation (CVE-2026-0257)

If you run Palo Alto Networks firewalls with GlobalProtect, today is one of those days where the patch window matters more than the change management meeting. Palo Alto Networks has confirmed active exploitation of CVE-2026-0257, an authentication bypass in the GlobalProtect portal and gateway that lets attackers establish unauthorized VPN sessions on vulnerable PAN-OS appliances. The flaw carries a CVSS score of 7.8, which puts it in the high category rather than critical, but Palo Alto rated the urgency as "highest" for a reason. Exploitation has been observed in the wild since May 17, 2026, and CISA has already added the bug to the Known Exploited Vulnerabilities catalog with a federal remediation deadline of June 1.

What CVE-2026-0257 Actually Does

The vulnerability lives in the way GlobalProtect handles authentication override cookies, a feature that exists specifically so users do not have to retype their credentials every time the agent reconnects. Under the right configuration, an attacker who can reach the portal or gateway can forge a session that the appliance accepts as valid, completely sidestepping the actual authentication flow. The end result is an attacker with a working VPN connection to your environment, sitting inside whatever network the gateway services, without ever presenting credentials, completing MFA, or tripping the conditional access policy you spent months tuning.

Palo Alto's advisory describes the impact in plain terms. The flaw "allows attackers to bypass security restrictions and establish an unauthorized VPN connection." That single sentence is doing a lot of work. A successful exploit does not produce a shell, does not drop malware, and does not require a foothold elsewhere in the environment. It just gives the attacker the keys to the front door of your remote access infrastructure, which is increasingly where defenders have placed most of their trust.

The vulnerability requires a specific configuration to be exploitable. The affected appliance must have a GlobalProtect portal or gateway configured, the authentication override cookies feature must be enabled, and a particular certificate configuration must be present. That sounds like a narrow window, but anyone who has run GlobalProtect at scale will tell you that override cookies are extremely common in enterprises that prioritize user experience. They are the reason your laptops do not pop a login prompt every time they switch from Starbucks Wi-Fi to a hotel network.

Versions, Patches, and the Awkward Truth

PAN-OS 12.1, 11.2, 11.1, and 10.2 are all in scope, along with Prisma Access on the 10.2.0 and 11.2.0 branches. Cloud NGFW customers can exhale. They are not affected. Palo Alto has shipped patches across all supported PAN-OS branches, with the fix landing in PAN-OS 12.1.4-h6 and 12.1.7 on the newest branch, plus corresponding hotfixes on 11.2, 11.1, and 10.2. The vendor advisory at security.paloaltonetworks.com has the full matrix, and if you are still running anything older than 10.2 you have problems that predate this CVE.

One detail worth highlighting for anyone planning the maintenance window. After the upgrade, all GlobalProtect users will be forced to re-authenticate even if they hold a valid cookie. That is intentional. The patch invalidates the cookie format that the bypass abused, and there is no clean way to do that without bouncing every active session. Plan for a flood of helpdesk tickets in the first hour after the change, and warn the executives whose laptops will suddenly demand a fresh MFA prompt during their morning email triage.

For organizations that cannot patch immediately, Palo Alto offered two mitigations. The first is to provision a dedicated certificate exclusively for the authentication override cookies, isolating that trust path from the rest of the GlobalProtect signing chain. The second is to simply disable the authentication override feature in the GlobalProtect configuration. Disabling the feature is the cleanest path technically, but it will force every remote worker through a full authentication flow on every reconnect, and the user experience hit is real. Pick your poison based on how patient your users are.

What Exploitation Looks Like

Palo Alto has been refreshingly specific about the post-exploitation artifacts defenders should hunt for. The company reported that observed exploit attempts arrived from nine malicious IP addresses, with the published range spanning 23.128.228.6 through 202.144.192.47. Sessions that successfully connected after the bypass shared a few telltale traits. The endpoint operating system reported by GlobalProtect was consistently Microsoft Windows 10 Pro 64-bit, the hostname matched generic patterns like WINDOWS-LAPTOP-001, DESKTOP-GP01, and GP-CLIENT, and the source user domain field was empty. None of those traits are individually damning. Plenty of legitimate clients show generic hostnames, especially in environments with weak naming standards. But the combination, particularly an empty domain field paired with a stock hostname connecting from one of those IPs, is a strong signal that something is wrong.

The company also noted that "only a small portion of the probed devices actually established VPN sessions." Read that carefully. It does not mean the campaign is small. It means the attacker was scanning widely and selectively exploiting the targets that matched the vulnerable configuration. That is a much more methodical pattern than a smash-and-grab, and it suggests the operator knows exactly what they are doing.

Perhaps most curious is what has not happened. Palo Alto noted that "no post-access behavior or lateral movement has been identified as of this time." The attackers connected, established sessions, and then apparently sat on the access. That could mean the campaign is still in a reconnaissance phase, that the operator is selling access to other groups, or that defenders simply have not caught the next stage yet. None of those possibilities are comforting. Initial access brokers have become a core fixture of the ransomware economy, and a freshly opened VPN tunnel into a corporate network is exactly the kind of inventory those brokers list for sale.

How to Hunt for It Right Now

Anyone running an affected version should start with the GlobalProtect logs. Search successful gateway-connected events for sessions where the endpoint OS string is exactly "Microsoft Windows 10 Pro 64-bit," the source user domain field is blank, and the hostname matches one of the generic patterns. Cross-reference the source IP against the published indicator list, but do not stop there. The published IPs are the ones Palo Alto caught. There are almost certainly others. Any anomalous session that matches the hostname and domain pattern deserves a closer look, regardless of source IP.

Once you have a list of suspicious sessions, pivot into your EDR and identity logs for the user accounts those sessions claimed. If an attacker authenticated as a legitimate user without ever touching the user's MFA app, the identity provider will have no record of an interactive sign-in for that session. That mismatch between "appliance says authenticated" and "IdP says we never asked the user" is one of the cleanest detection opportunities the bypass leaves behind. SIEM correlation between GlobalProtect connection events and Entra ID or Okta sign-in logs will surface anomalies quickly if you are storing both streams.

If you find evidence of unauthorized sessions, treat affected user accounts as compromised even if no post-access behavior is visible. Rotate credentials, invalidate refresh tokens, and audit anything that account touched during the suspect timeframe. The fact that no lateral movement has been documented publicly does not mean none occurred in your environment, and the cost of assuming clean while being dirty dwarfs the cost of forced password rotations.

The MSP Angle

This is exactly the kind of vulnerability that turns into a service conversation. Every client running a Palo Alto firewall with GlobalProtect needs the patch deployed, the configuration reviewed, the logs hunted, and ideally a written attestation that the work was completed. That is a perimeter assessment offering ready to invoice, and it pairs naturally with an ongoing managed firewall service if you are not already running one. The bigger sales motion is around remote access posture in general. Authentication bypass bugs in VPN appliances have been the most reliable initial access vector of the last three years, and a tabletop exercise that walks a client through "what happens if your VPN gets bypassed" is a remarkably effective way to surface budget for darkweb monitoring, identity threat detection, and conditional access tuning. Lead with the patch, follow with the program.