Security
Palo Alto CVE-2026-0257: GlobalProtect authentication bypass actively exploited; CISA KEV
- Category: Security
- Status: confirmed
- Sources: Palo Alto advisory, Help Net Security
- Summary: CVE-2026-0257 (CVSS 9.1) is an authentication bypass in the PAN-OS GlobalProtect portal and gateway. Affected firewalls expose the public key used to encrypt authentication override cookies; an attacker obtains the key from the HTTPS service, forges a valid cookie, and establishes an unauthorized VPN session with no credentials. Active exploitation confirmed since 2026-05-17. CISA added to KEV with a federal deadline of 2026-06-01. Rapid7 observed successful exploitation in 8 of 10 affected MDR customers. Mitigation: disable authentication override cookies or generate a dedicated certificate used exclusively for that feature; patched PAN-OS versions are available.
- Why it matters: Perimeter VPN appliances are high-value initial-access targets; cookie-forgery exploitation is low-complexity, requires no user interaction, and affects any firewall with the misconfigured authentication override certificate binding.
- Follow-up: Monitor for patch adoption rates and expanded exploitation scope.