Palo Alto PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Actively Exploited

Cybersecurity teams around the world are being urged to take immediate action following the discovery of a critical vulnerability in Palo Alto Networks’ PAN-OS software. The flaw, identified as CVE-2026-0257 and assigned a CVSS score of 7.8, is already being actively exploited in the wild. The vulnerability affects the GlobalProtect portal and gateway and allows attackers to establish unauthorized VPN connections without requiring valid user credentials. Security researchers found that the issue stems from weaknesses in how PAN-OS handles authentication override cookies. Under certain configurations, attackers can obtain a publicly accessible TLS certificate and use it to create forged authentication cookies, effectively bypassing normal login requirements.
What makes this vulnerability particularly concerning is its simplicity. Due to missing integrity checks within the authentication process, forged cookies can be accepted as legitimate, potentially granting attackers privileged VPN access to an organization’s internal network. Once connected, threat actors may be able to move laterally, access sensitive resources, and conduct further malicious activities.
Security researchers from Rapid7 reported observing active exploitation campaigns targeting multiple organizations. In one of the identified attack waves, threat actors successfully obtained VPN access and were assigned internal network addresses, providing them with deeper access to victim environments.
The seriousness of the issue has prompted the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to add CVE-2026-0257 to its Known Exploited Vulnerabilities catalog. A public proof-of-concept exploit is also available, increasing the likelihood of widespread attacks by lowering the technical barrier for cybercriminals.
Palo Alto Networks has confirmed that Panorama and Cloud NGFW products are not affected. However, organizations using GlobalProtect with Authentication Override enabled should immediately review their configurations, generate a dedicated certificate specifically for authentication override cookies, and upgrade to a patched PAN-OS version as soon as possible. As cyber threats continue to evolve, this incident serves as another reminder of the importance of timely patch management and proactive security monitoring. Organizations that delay remediation may face a significantly increased risk of unauthorized network access and potential data compromise.