PAN-OS CVE-2026-0257: GlobalProtect KEV Guide

CISA’s May 29 KEV addition for CVE-2026-0257 should move GlobalProtect review into the emergency lane. This is not just a version check. Teams need to verify a specific authentication-override configuration, apply fixed PAN-OS or Prisma Access versions, and review VPN authentication evidence for signs of suspicious cookie-based access.

CISA added CVE-2026-0257, a Palo Alto Networks PAN-OS GlobalProtect authentication bypass vulnerability, to the Known Exploited Vulnerabilities catalog on May 29, 2026, with a June 1, 2026 remediation due date. The KEV entry identifies the affected product as PAN-OS and the vulnerability name as “Palo Alto Networks PAN-OS Authentication Bypass Vulnerability” (CISA KEV JSON catalog).

Palo Alto Networks rates the issue HIGH with a suggested urgency of HIGHEST and says authentication bypass vulnerabilities in the GlobalProtect portal and gateway can allow an attacker to bypass security restrictions and establish an unauthorized VPN connection. Palo Alto Networks also says it is aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied (Palo Alto Networks advisory).

For security leaders, the operational takeaway is clear: if GlobalProtect is internet-facing, do not wait for a normal patch cycle. Confirm whether authentication override cookies are enabled, confirm the certificate configuration, deploy the fixed release, and preserve authentication logs before they roll over.

What is CVE-2026-0257 in PAN-OS GlobalProtect?

CVE-2026-0257 affects the GlobalProtect portal and gateway in Palo Alto Networks PAN-OS and Prisma Access when a specific authentication override configuration is present. Palo Alto Networks says Panorama and Cloud NGFW are not impacted (Palo Alto Networks advisory).

The vulnerable condition is not simply “running PAN-OS.” Palo Alto Networks says exposure requires GlobalProtect portal or gateway configuration where authentication override cookies are enabled and a specific certificate configuration exists. For portals, the relevant options are “Generate cookie for authentication override” or “Accept cookie for authentication override.” For gateways, the relevant setting is “Accept cookie for authentication override” (Palo Alto Networks advisory).

That distinction matters for triage. Asset teams need both a version inventory and a configuration inventory. A firewall can be on an affected release without the vulnerable feature path enabled, and a GlobalProtect deployment can still require urgent patching because the configuration is present.

Why did CISA KEV inclusion raise the priority?

KEV inclusion means CISA has evidence of active exploitation and has placed the CVE under its operational remediation catalog. For federal civilian agencies, the June 1 due date creates a formal deadline. For private-sector organizations, it is a high-confidence signal that the issue is being exploited and should be handled as an edge-device incident-response priority rather than a routine vulnerability ticket (CISA KEV JSON catalog).

Rapid7 reported observed exploitation across multiple customers, with the earliest observed exploitation on May 17, 2026, and a second wave on May 21. Rapid7 said it did not observe successful lateral movement from the devices, but it did observe suspicious cookie-based authentication activity and, in a subset of cases, VPN IP assignment after cookie authentication (Rapid7 analysis).

This is why the response should combine patching with evidence review. Edge VPN appliances sit close to identity, remote access, and internal network reachability. A patch closes the known vulnerability path, but log review helps answer whether anyone used it before the fix landed.

Who is affected?

Palo Alto Networks lists affected PAN-OS and Prisma Access release trains with fixed versions. Security teams should consult the vendor advisory for the exact upgrade path, but the fixed baselines include:

PAN-OS 12.1: fixed in 12.1.4-h6 or 12.1.7 and later (Palo Alto Networks advisory).
PAN-OS 11.2: fixed in 11.2.4-h17, 11.2.7-h14, 11.2.10-h7, or 11.2.12 and later, depending on the starting release (Palo Alto Networks advisory).
PAN-OS 11.1: fixed in 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, or 11.1.15 and later, depending on the starting release (Palo Alto Networks advisory).
PAN-OS 10.2: fixed in 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, or 10.2.18-h6 and later, depending on the starting release (Palo Alto Networks advisory).
Prisma Access 11.2.0: fixed in 11.2.7-h13 and later (Palo Alto Networks advisory).
Prisma Access 10.2.0: fixed in 10.2.10-h36 and later (Palo Alto Networks advisory).

Palo Alto Networks says Cloud NGFW is not affected and requires no action (Palo Alto Networks advisory).

What should teams do in the first 24 hours?

Confirm internet-facing GlobalProtect scope

Start with the externally reachable attack surface. Identify GlobalProtect portals and gateways, management ownership, current PAN-OS or Prisma Access versions, and whether the assets are directly internet-facing or exposed through another access layer.

Do not rely only on CMDB records. Check DNS, certificates, firewall policy, load balancer configuration, external attack surface scans, and recent remote-access architecture diagrams. Our vulnerability scanning services are built around exactly this kind of edge-exposure discovery.

Verify authentication override configuration

Palo Alto Networks identifies authentication override settings as the key exposure condition. Review each GlobalProtect portal and gateway for cookie generation or acceptance settings, and document whether the authentication override cookie certificate is dedicated or reused (Palo Alto Networks advisory).

The evidence should include screenshots or exported configuration, the owner who validated the setting, the timestamp, and the remediation decision.

Patch to the fixed release

Apply the vendor-supplied fixed version for the relevant PAN-OS or Prisma Access train. If a direct upgrade path is not available, document the interim step, owner, maintenance window, rollback plan, and compensating controls. Our patch management services can run this on a controlled change cadence with evidence capture.

Palo Alto Networks notes that after the fix, users may need to re-authenticate once if the firewall uses authentication override cookies for the GlobalProtect portal or gateway because the firewall regenerates the cookie using a more secure method (Palo Alto Networks advisory).

Apply mitigations where patching cannot happen immediately

Palo Alto Networks lists two mitigation paths: use a new certificate exclusively for authentication override cookies and store it securely, or disable authentication override by unchecking the relevant cookie options in the GlobalProtect portal and gateway configuration (Palo Alto Networks advisory).

Use mitigations as a bridge, not a substitute for patching. Because CISA has added the issue to KEV and Palo Alto Networks reports exploit attempts, the target state should still be a fixed version.

What evidence should security teams review?

Log review should focus on abnormal GlobalProtect authentication and VPN assignment patterns around the exploitation window and before the patch date.

Recommended evidence:

GlobalProtect authentication logs: unusual cookie-based authentication, local account logons, unexpected hostnames, or authentication from unfamiliar infrastructure.
VPN session logs: successful VPN IP assignment, session duration, internal route access, and user-to-device correlation.
Administrative activity: changes to GlobalProtect portal, gateway, certificate, authentication override, or local account settings.
Identity logs: MFA prompts, impossible travel, abnormal sign-in source geography, or unexpected access after VPN authentication.
Endpoint and network telemetry: lateral movement indicators, unusual internal scanning, or access to sensitive segments after suspicious VPN sessions.

Rapid7 published detection names for customers of its MDR and InsightIDR services, including suspicious GlobalProtect cookie authentication to local admin accounts and suspicious VPN authentication involving local accounts (Rapid7 analysis).

Avoid building the response around a single indicator. Infrastructure changes quickly. The durable detection logic is anomalous authentication, unexpected VPN session establishment, and access patterns inconsistent with normal remote-access behavior. If your team lacks the telemetry coverage to run this hunt, our managed detection and response and SOC-as-a-Service teams can review VPN authentication evidence on your behalf.

How should leaders govern the response?

This is an edge-device risk with business impact. Leaders should ask for a short, auditable remediation package:

Inventory: all GlobalProtect portals and gateways, exposure status, versions, and owners.
Configuration evidence: authentication override status and certificate reuse validation.
Patch status: target fixed version, maintenance window, rollback plan, and completion timestamp.
Mitigation status: whether authentication override was disabled or a dedicated certificate was generated before patching.
Log review: time window reviewed, detections used, suspicious events found, and follow-up actions.
Exceptions: any unpatched or unvalidated systems, with compensating controls and deadlines.

The goal is not just to close a CVE. It is to show that the organization can identify exposed edge infrastructure, change risky configuration quickly, and validate whether exploitation occurred before the window closed.

Frequently asked questions about CVE-2026-0257

What is CVE-2026-0257?

CVE-2026-0257 is a PAN-OS GlobalProtect authentication bypass vulnerability that can allow an attacker to establish an unauthorized VPN connection when the affected configuration is present (Palo Alto Networks advisory).

When did CISA add CVE-2026-0257 to KEV?

CISA added CVE-2026-0257 to the Known Exploited Vulnerabilities catalog on May 29, 2026, with a June 1, 2026 due date (CISA KEV JSON catalog).

Is every PAN-OS firewall vulnerable?

No. Exposure depends on affected PAN-OS or Prisma Access versions and a GlobalProtect authentication override configuration involving authentication override cookies and certificate handling (Palo Alto Networks advisory).

What is the fastest mitigation if we cannot patch today?

Palo Alto Networks recommends either using a dedicated certificate exclusively for authentication override cookies or disabling authentication override in the GlobalProtect portal and gateway configuration (Palo Alto Networks advisory).

Is Cloud NGFW affected?

No. Palo Alto Networks lists Cloud NGFW as unaffected and requiring no action (Palo Alto Networks advisory).

What logs should we review?

Review GlobalProtect authentication logs, VPN session logs, local account authentication, certificate and configuration changes, identity telemetry, and internal access after suspicious VPN sessions. Rapid7 reported observed suspicious cookie-based authentication activity tied to exploitation attempts (Rapid7 analysis).

References

Cyberuptive runs a 24/7 follow-the-sun SOC staffed by U.S.-based analysts, headquartered in Honolulu and serving customers across Asia-Pacific and the U.S. mainland. We help mid-market organizations, MSPs, and Pacific defense subcontractors validate edge exposure, prioritize KEV remediation, review GlobalProtect and VPN authentication telemetry, and package evidence for executives, auditors, and incident-response stakeholders.

Read our vulnerability scanning services, our patch management services, and our managed detection and response, or talk to us about a targeted CVE-2026-0257 response review.