Palo Alto Networks has updated its PAN-OS advisory for CVE-2026-0257 after seeing limited exploit attempts against unpatched devices without mitigations. The flaw affects GlobalProtect portal and gateway deployments where authentication override cookies are enabled together with a risky certificate configuration, letting an attacker bypass restrictions and establish an unauthorized VPN connection.[1]
CISA added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog on May 29, 2026, with a federal remediation due date of June 1, 2026.[2] NVD lists the issue as a critical CVSS 3.1 vulnerability with a 9.1 score, while Palo Alto’s CVSS 4.0 assessment is 7.8 high with exploit maturity marked as attacked.[3]
The practical risk is not a generic VPN bug in every Palo Alto product. Palo Alto says Panorama and Cloud NGFW are not affected, and exposure depends on GlobalProtect portal or gateway settings. That nuance matters: teams that do not use authentication override cookies may not have the exposed condition, while teams that do use them should treat the setting as urgent until patched or mitigated.
What admins should check first
Start with externally reachable GlobalProtect portals and gateways. In the portal configuration, review Network > GlobalProtect > Portals, then the relevant portal, agent configuration, and Authentication tab. If either “Generate cookie for authentication override” or “Accept cookie for authentication override” is enabled, the deployment deserves immediate review. For gateways, Palo Alto points admins to Network > GlobalProtect > Gateways, the gateway agent settings, Client Settings, and the Authentication Override tab, where “Accept cookie for authentication override” may be enabled.[1]
Fixed releases are available across supported PAN-OS branches. Palo Alto lists fixed or unaffected targets including 12.1.7 or 12.1.4-h6, 11.2.12 or branch-specific hotfixes such as 11.2.10-h7, 11.1.15 or relevant hotfixes, and 10.2.18-h6 or earlier branch hotfixes. Prisma Access is being upgraded on the provider schedule, but self-managed firewall owners should verify their own maintenance window instead of assuming coverage.
There is one user-impact detail to plan for: after the fix, GlobalProtect users may need to re-authenticate once because the firewall regenerates authentication override cookies using a more secure method. That is operationally inconvenient, but it is better than leaving a trusted VPN entrance dependent on a reusable cookie/certificate setup that is now in an exploited CVE.
If patching cannot happen immediately, Palo Alto’s mitigation is narrow and actionable: use a dedicated certificate for Authentication Override cookies, store it securely, do not reuse the portal or gateway certificate, and do not share it with other features or users. The stronger temporary move is to disable Authentication Override by unchecking the generate/accept cookie options on the portal and gateway until fixed builds are installed.[1]
For incident response, review recent GlobalProtect authentication and session logs for unusual successful VPN connections, unfamiliar source networks, unexpected user-agent patterns, and sessions that do not match normal MFA or cookie refresh behavior. The same edge-device urgency applies here as in earlier exploited firewall and access-control stories, including Palo Alto PAN-OS CVE-2026-0300, Cisco SD-WAN CVE-2026-20182, and large-scale Fortinet exposure. Keep exploit details out of tickets, but make the asset list, software version, GlobalProtect exposure, and cookie setting explicit so remediation does not become a vague “VPN patch” task.
References
- Palo Alto Networks Product Security Assurance, CVE-2026-0257 PAN-OS: GlobalProtect Authentication Bypass Vulnerabilities, published May 13, 2026; updated May 29, 2026.
- CISA, Known Exploited Vulnerabilities catalog entry for CVE-2026-0257, added May 29, 2026.
- NIST National Vulnerability Database, CVE-2026-0257 Detail, published May 13, 2026; modified May 29, 2026.
Leave a Comment