The vulnerability, tracked as CVE-2026-0257, affects GlobalProtect portal and gateway deployments in PAN-OS where authentication override cookies are enabled alongside a specific certificate configuration. Successful exploitation can allow a remote attacker without valid credentials to bypass security restrictions and establish an unauthorised VPN connection, potentially placing the intruder inside a protected network perimeter.
Palo Alto Networks published its advisory on 13 May and updated it on 29 May after becoming aware of limited exploit attempts against unpatched systems where mitigations had not been applied. The company now rates the issue as high severity, with a CVSS 4.0 score of 7.8 and an urgency level marked highest. The exploit maturity status has been changed to attacked, signalling confirmed abuse rather than a theoretical risk.
The flaw affects supported PAN-OS 10.2, 11.1, 11.2 and 12.1 branches below specific fixed releases. Prisma Access 10.2 and 11.2 are also covered by the advisory, with upgrades being applied through scheduled customer processes. Panorama and Cloud NGFW are not affected, narrowing the exposure to GlobalProtect portal and gateway configurations that meet the vulnerable conditions.
Security teams have been urged to upgrade immediately to fixed PAN-OS versions, including 12.1.4-h6 or 12.1.7 and later, 11.2.4-h17, 11.2.7-h14, 11.2.10-h7 or 11.2.12 and later, 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5 or 11.1.15 and later, and 10.2 fixed builds such as 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7 or 10.2.18-h6 and later. Older unsupported PAN-OS versions need migration to a supported fixed version.
The risk is elevated because VPN appliances sit at the edge of enterprise networks and often act as the first control point for remote staff, contractors and administrators. An authentication bypass at this layer can give attackers a foothold that bypasses normal username and password checks, even before lateral movement or data theft occurs. That makes exposure management, log review and rapid patching as important as the software fix itself.
Threat investigators observed successful exploitation across multiple customer environments, with the earliest confirmed activity dated 17 May. One wave involved suspicious cookie-based authentication to a local administrator account from infrastructure linked to a hosting provider. A second wave on 21 May involved VPN IP assignment after cookie authentication, giving the attacker network access through GlobalProtect.
No confirmed lateral movement was observed in the investigated environments, but the pattern underlines the danger for organisations that operate remote access infrastructure without strict monitoring and segmentation. The available evidence points to exploitation that depends on specific configuration conditions, rather than universal exposure across every PAN-OS deployment.
The vulnerability has also been added to the US Known Exploited Vulnerabilities catalogue, requiring covered federal civilian agencies to apply mitigations or stop using the affected product where mitigation is not available. The catalogue entry set a 1 June remediation deadline, reflecting the short window between public disclosure, observed exploitation and mandated action.
Palo Alto Networks has advised administrators to check GlobalProtect portal and gateway settings through the management interface and review whether authentication override cookies are generated or accepted. With the fix, systems configured to use such cookies will regenerate them through a more secure method. GlobalProtect users will need to re-authenticate once after an upgrade even if they previously held a valid cookie.
The case adds to a wider pattern of attacks against edge devices, where firewalls, VPN concentrators and identity gateways have become priority targets for espionage groups and financially motivated attackers. These systems are attractive because they combine internet exposure, privileged network placement and trusted status inside enterprise environments.
Organisations running affected Palo Alto Networks appliances are being advised to prioritise patching over routine maintenance cycles, review GlobalProtect authentication logs for unusual cookie-based logins, investigate unexpected local administrator activity, and verify whether any VPN sessions were created from unfamiliar hosting providers or geographic locations. Network segmentation and tighter administrator controls can reduce the damage if an attacker has already obtained access.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
