CRITICAL VULNERABILITY ALERT: Palo Alto Networks GlobalProtect Flaw Under Active Attack - (CVE-2026-0257)

SILICON VALLEY — Cybersecurity researchers, threat intelligence firms, and vendor advisories have confirmed that a critical authentication bypass vulnerability in Palo Alto Networks’ PAN-OS GlobalProtect software is under active exploitation in the wild.

The flaw, tracked as CVE-2026-0257, carries a CVSS v4 score of 7.8 (High severity) and allows unauthenticated remote actors to completely circumvent standard identity checks. This grants attackers a direct gateway into restricted corporate networks protected by the affected Virtual Private Network (VPN) solution.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog, underscoring the immediate danger to enterprise perimeters.

Technical Context: Cookie Forgery via Shared HTTPS Certificates

The root cause of CVE-2026-0257 is classified under CWE-565 (Reliance on Cookies without Validation and Integrity Checking). The flaw resides specifically within the GlobalProtect portal and gateway implementations when a highly specific configuration environment exists.

The vulnerability is exposed when the following conditions are met:

1. Authentication Override Cookies are actively enabled on the portal or gateway to allow users to reconnect without repeatedly entering credentials.
2. The firewall configuration reuses the same SSL/TLS certificate for both the public-facing GlobalProtect HTTPS service and the encryption/decryption of the authentication override cookies.

Because the certificate is exposed publicly via the HTTPS service, threat actors can easily extract the public key. Rapid7 researchers confirmed that attackers can use this key to forge valid authentication override cookies. When presented to an unpatched gateway, the device decrypts and trusts the spoofed cookie without proper signature verification, assigning a VPN IP address and establishing an unauthorized, fully authenticated session.

Active Exploitation Patterns & Incident Response

According to threat monitoring reports, attackers have been observed utilizing this exploit in distinct waves. In multiple Managed Detection and Response (MDR) customer environments, security analysts detected malicious authentication probes using forged cookies.

While many early automated probes failed to maintain a full VPN session, later targeted waves successfully achieved internal network access. Security teams are urged to audit firewall logs for anomalies in GlobalProtect cookie utilization and unusual MAC address transitions.

Immediate Remediation and Mitigation Steps

Palo Alto Networks and CISA urge all administrators to treat this with the highest urgency. If an immediate upgrade to a patched PAN-OS version is not feasible, organizations must implement one of the following official workarounds to mitigate exposure:

• Step 1: Verify Feature Exposure
• Check if the feature is active. In the management interface, navigate to Network > GlobalProtect > Portals or Gateways. Inspect the Agent configuration and check if the Generate cookie for authentication override or Accept cookie for authentication override checkboxes are selected.

Option A (Recommended Mitigation): Isolate the Cookie Certificate

• Generate a brand-new, unique SSL/TLS certificate within PAN-OS. Assign this dedicated certificate only to the Authentication Override feature under the portal/gateway settings. Ensure it is completely separate from the certificate securing the public HTTPS portal service.
• Option B (Alternative Mitigation): Disable Authentication Override
• Uncheck all options for generating and accepting cookies in both the GlobalProtect portal and gateway configuration menus. Save and commit the changes. This completely closes the attack surface at the expense of forcing users to re-authenticate manually on every connection.

• Permanent Resolution: Deploy Fixed Firmware
• Schedule a maintenance window to upgrade the device firmware to the designated fixed minor version (e.g., PAN-OS 12.1.7 or 11.2.12).

• Frequently Asked Questions (FAQ)

• What is the CVE identifier for this Palo Alto flaw?

• The vulnerability is tracked globally as CVE-2026-0257.

• What causes the authentication bypass in GlobalProtect?

• It stems from improper validation and integrity checking of authentication override cookies (CWE-565) when the same certificate is shared between cookie encryption and the public HTTPS portal.

• Is there a public proof-of-concept (PoC) available?

• Yes, threat researchers have developed functional proof-of-concept scripts demonstrating cookie replication, which has accelerated the urgency for immediate patching.