Palo Alto Networks recently updated its security advisory for CVE-2026-0257, a vulnerability within the PAN-OS GlobalProtect VPN technology. Originally disclosed and addressed in May, the flaw allows unauthorized users to bypass authentication mechanisms and access the VPN without valid credentials. Last week, Palo Alto Networks noted limited unauthorized access attempts against unpatched PAN-OS devices. Rapid7 researchers also published a report identifying successful unauthorized access across numerous affected organizations beginning as early as May 17. The Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on May 29.
Assessing the operational risk
An internal researcher initially discovered the flaw, which received a CVSSv4 score of 7.8 (High severity, upgraded from an initial 4.7). The rating reflects the specific prerequisites required for the vulnerability to be present: firewalls must have the GlobalProtect portal or gateway configured with authentication override cookies enabled, alongside a specific certificate configuration.
However, security professionals advise treating the situation as a critical priority. Denis Calderon, CTO at Suzu Labs, notes that while the CVSS calculus accurately reflects the direct impact, the operational reality of an unauthenticated administrative VPN session into an internal network is a critical event. Rapid7 echoes this guidance, urging organizations to prioritize remediation due to the significant potential impact of an authentication bypass on an enterprise edge device.
Rapid7 observed successful security incidents across multiple environments. In these instances, threat actors utilized forged authentication cookies to impersonate legitimate users and authenticate to GlobalProtect gateways. A second wave of activity occurred on May 21, during which some unauthorized parties received assigned VPN addresses, granting them internal network access. Currently, researchers have not observed indications of successful lateral movement from these devices.
Technical mechanism of the vulnerability
The underlying issue resides in the "authentication override" feature. When enabled, this allows a GlobalProtect portal or gateway to issue cookies to an authenticated user. These cookies act similarly to bearer tokens for future communications, bypassing the need to re-enter credentials. This feature is not enabled by default.
The vulnerability specifically manifests when the certificate used to encrypt and decrypt these override cookies is the exact same certificate used for the GlobalProtect portal or gateway’s HTTPS service.
Rapid7’s technical analysis confirmed that under this shared-certificate configuration, the system implicitly trusts decrypted cookies without verifying their authenticity. Because the public key is exposed through the HTTPS service, unauthorized parties can obtain it and generate their own forged cookies. The VPN gateway then accepts these forged cookies as valid, allowing the establishment of an authenticated session. Rapid7 validated this mechanism by developing a proof-of-concept testing methodology that successfully authenticated against vulnerable configurations.
Immediate remediation and defensive guidance
Edge security devices are critical boundaries for corporate networks, requiring strict maintenance to prevent unauthorized access. Earlier this year, organizations addressed a separate PAN-OS vulnerability (CVE-2025-0108) involving PHP script invocation. To maintain a strong defensive posture against CVE-2026-0257, affected organizations should apply the vendor-supplied PAN-OS updates immediately.
If immediate patching is not feasible, Palo Alto Networks provides clear configuration adjustments to secure the environment. Administrators should generate a dedicated, unique certificate exclusively for authentication-override cookies and store it securely. It is vital not to reuse the portal or gateway HTTPS certificate for this purpose, and the dedicated certificate should not be shared with other features or users.
Alternatively, organizations can disable the authentication override feature entirely. To do this, administrators must clear all related options for generating and accepting cookies in the GlobalProtect portal and gateway configurations. Taking these steps ensures the continued integrity of the network perimeter.