Palo Alto PAN-OS GlobalProtect authentication bypass CVE-2026-0257 actively exploited since May 17, added to CISA KEV - patch urgently
Palo Alto Networks has confirmed that CVE-2026-0257 (CVSS 7.8), a GlobalProtect authentication-bypass flaw in PAN-OS and Prisma Access, is under active exploitation. The flaw lets attackers bypass authentication and establish an unauthorized VPN connection; it affects firewalls with a GlobalProtect portal or gateway when authentication-override cookies are enabled and a specific certificate configuration exists. Rapid7 identified successful exploitation across numerous customers dating back to May 17, with a second wave on May 21, attributed to the same threat actor; in two cases the attacker received a VPN IP and reached the internal network. CISA added the CVE to its KEV catalog on May 29.
- Check
- Inventory PAN-OS and Prisma Access firewalls with GlobalProtect portal/gateway configured. Check whether authentication-override cookies are enabled. Review VPN logs for unauthorized sessions since May 17.
- Affected
- PAN-OS firewalls with GlobalProtect portal or gateway when authentication-override cookies are enabled and a specific certificate configuration exists. Exploitation confirmed across numerous Rapid7 customers since May 17.
- Fix
- Apply the Palo Alto patch urgently. Temporary mitigation: disable the authentication-override feature or generate a dedicated certificate for it. FCEB agencies must remediate per CISA KEV deadline.