Palo Alto GlobalProtect VPN Auth Bypass Flaw Under Attack

Palo Alto GlobalProtect VPN Auth Bypass Flaw Now Exploited in Attacks

The Palo Alto GlobalProtect VPN auth bypass flaw is now being exploited against unpatched systems, and the risk is bigger than the score may suggest.
Attackers can abuse affected GlobalProtect portal or gateway setups to create unauthorized VPN connections, giving them a possible path into private networks.

The Palo Alto GlobalProtect VPN auth bypass flaw, known as CVE-2026-0257, impacts specific setups of PAN-OS and Prisma Access GlobalProtect portals or gateways. It can let an unauthenticated attacker bypass security controls and establish an unauthorized VPN connection. Palo Alto Networks says exploitation has been observed against unpatched devices without mitigations, and Rapid7 reported that exploitation began as early as May 17, 2026.

Data Insight: Key Technical Details

Item	Details
CVE ID	CVE-2026-0257
Vulnerability type	PAN-OS authentication bypass
Affected component	GlobalProtect portal and gateway
Main impact	Unauthorized VPN connection
Attack vector	Network
Attack complexity	Low
User interaction	None
Privileges required	None
CVSS	7.8 High, according to Palo Alto Networks advisory
Exploitation status	Attacked, limited exploit attempts reported
Weakness	CWE-565, reliance on cookies without validation and integrity checking
Published	May 13, 2026
Updated	May 29, 2026
CISA KEV	Added May 29, 2026, with required action due June 1, 2026 in NVD listing
Known malware	No specific malware publicly documented in the official advisory
Threat actor	Not publicly attributed by Palo Alto Networks or Rapid7

Palo Alto Networks states that the issue affects firewalls with GlobalProtect portal or gateway configured when authentication override cookies are enabled and a specific certificate configuration is present. Panorama and Cloud NGFW are not impacted.

What Happened?

The Palo Alto GlobalProtect VPN auth bypass flaw moved from advisory status to active exploitation status in late May 2026.

Palo Alto Networks first published the advisory for CVE-2026-0257 on May 13, 2026. On May 29, the company updated it to say it was aware of limited exploit attempts against unpatched PAN-OS devices without mitigations.

Rapid7 also reported real-world exploitation. Its MDR team observed successful exploitation across numerous customers, with the earliest observed activity on May 17, 2026. Rapid7 said it did not observe successful lateral movement in those monitored cases, but the VPN access itself is still serious.

That detail matters. A VPN is not a random web app. It is a front door.

If an attacker gets through the VPN layer, the next question becomes uncomfortable: what can they reach after that?

What is CVE-2026-0257?

CVE-2026-0257 is a vulnerability that allows bypassing authentication in Palo Alto Networks PAN-OS GlobalProtect. It can allow an attacker to bypass security restrictions and establish an unauthorized VPN connection through affected GlobalProtect portal or gateway systems.

A simple example:

• A normal user connects to GlobalProtect.

• The VPN checks identity using authentication controls.

• In affected configurations, handling of authentication override cookies can be abused.

• An attacker may connect without passing the normal security process.

This is why the GlobalProtect authentication cookie vulnerability is dangerous. It attacks trust. Once trust is broken at the VPN layer, normal network boundaries become weaker.

Why This Matters

The Palo Alto GlobalProtect VPN auth bypass flaw matters because VPN systems sit at the edge of corporate networks.

Our lab view is simple: a VPN authentication bypass is never just a VPN issue. It is an identity issue, a network access issue, and sometimes a business continuity issue.

For a business, the risk may include:

• Unauthorized access to internal services

• Exposure of file shares, intranet portals, admin panels, or remote desktop systems

• Increased chance of credential theft

• Compliance pressure if regulated data is reachable

• Incident response cost

• Loss of trust from customers and partners

For a regular user, the impact is different. The user may not see anything unusual. Their laptop works. Their VPN still connects. But behind the scenes, security teams may be dealing with suspicious VPN sessions, unknown IP addresses, or strange authentication logs.

That is the painful part. The attack can look quiet.

                                                                             GlobalProtect VPN attack flow

 

How the Attack Works

The attack targets affected GlobalProtect portal or gateway configurations where authentication override cookies are enabled and a specific certificate configuration exists.

The core idea is not magic. It is abuse of a trusted authentication mechanism.

Based on public reporting and vendor guidance, the likely flow looks like this:

1. The attacker identifies an exposed GlobalProtect portal or gateway.

2. The system is running an affected PAN-OS or Prisma Access version.

3. Authentication override cookies are enabled.

4. The attacker abuses cookie validation weakness.

5. The attacker establishes a VPN connection without normal authentication.

6. The VPN may assign an internal IP address.

7. The attacker may attempt internal reconnaissance.

Rapid7 observed suspicious cookie authentication activity and later saw VPN IP assignment following cookie authentication in a second exploitation wave. Rapid7 linked the activity to hosting providers including Vultr and Dramatics Systems but did not publicly name a specific threat actor.

Technical Analysis of the Authentication Bypass

The PAN-OS authentication bypass is tied to authentication override cookies.

Authentication override cookies are used to reduce repeated login prompts. That can be convenient for users. But convenience creates risk when cookie validation is weak or certificate handling is misconfigured.

The official advisory lists the weakness as CWE-565: Reliance on Cookies without Validation and Integrity Checking.

In practical terms, this means defenders should focus on three areas:

• Cookie authentication events

• Certificate usage for authentication override

• Unexpected VPN logins from unusual infrastructure

This is not only about patching. It is also about finding whether someone already entered.

Why the CVSS Score Can Mislead Teams

The CVSS score is listed as 7.8, high, in Palo Alto’s advisory. That is serious, but some teams may still delay it because it is not a 9.8 or 10.

That would be a mistake.

Rapid7 urged organizations to treat this as critical because it affects an edge-facing enterprise VPN appliance.

Ask yourself this: would you ignore a side door just because the lock manufacturer rated the weakness “High” instead of “Critical”?

Probably not.

Active Exploitation Timeline

Date	Event
May 13, 2026	Palo Alto Networks published advisory for CVE-2026-0257
May 17, 2026	Rapid7 reported earliest observed successful exploitation
May 18, 2026	Rapid7 investigated suspicious cookie authentication activity
May 21, 2026	Rapid7 observed a second wave of exploitation
May 29, 2026	Palo Alto Networks updated advisory with exploitation status
May 29, 2026	CISA KEV listing appears in NVD record
June 1, 2026	CISA KEV due date listed in NVD for required action

NVD lists CISA KEV information for Palo Alto Networks PAN-OS Authentication Bypass Vulnerability, with date added May 29, 2026, and due date June 1, 2026.

Rapid7 Investigation Findings

Rapid7’s findings are important because they show exploitation was not theoretical.

Rapid7 MDR observed:

• Successful exploitation across numerous customers

• Earliest observed exploitation on May 17, 2026

• Suspicious cookie authentication to a local admin account

• Activity from hosting provider infrastructure

• A second wave on May 21

• VPN IP assignment after cookie authentication in later activity

• No observed successful lateral movement in the monitored cases

That final point is useful, but it should not create false comfort. No observed lateral movement does not mean no risk. It means Rapid7 did not see that stage in those specific monitored cases.

Who is Affected?

You may be affected if you use Palo Alto Networks PAN-OS with GlobalProtect portal or gateway and the vulnerable configuration is present.

Affected versions include several PAN-OS 12.1, 11.2, 11.1, and 10.2 releases below the fixed versions. Prisma Access 10.2 and 11.2 are also listed with fixed versions. Palo Alto Networks says Cloud NGFW is not affected.

CVE-2026-0257 Affected Versions and Fixed Versions

Product	Affected versions	Fixed versions
PAN-OS 12.1	Below 12.1.4-h6 and below 12.1.7	12.1.4-h6 or 12.1.7 and later
PAN-OS 11.2	Below 11.2.4-h17, 11.2.7-h14, 11.2.10-h7, 11.2.12	Fixed versions listed by Palo Alto
PAN-OS 11.1	Below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, 11.1.15	Fixed versions listed by Palo Alto
PAN-OS 10.2	Below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, 10.2.18-h6	Fixed versions listed by Palo Alto
Prisma Access 11.2.0	Below 11.2.7-h13	11.2.7-h13 or later
Prisma Access 10.2.0	Below 10.2.10-h36	10.2.10-h36 or later
Cloud NGFW	Not affected	No action needed

Before publishing or applying changes, verify the latest fixed releases from Palo Alto Networks’ official advisory because vendor guidance can change quickly.

Potential Business Impact

The Palo Alto VPN vulnerability can affect business operations in several ways.

1. Unauthorized Network Access

The direct risk is an unauthorized VPN connection vulnerability. An attacker may gain access to internal network ranges that were never meant to be public.

2. Data Exposure

If internal systems trust VPN users too much, the attacker may find:

• File servers

• Internal dashboards

• Development systems

• Admin interfaces

• Legacy applications

• Poorly protected databases

3. Compliance Risk

For U.S. organizations, this may affect compliance programs tied to:

• NIST Cybersecurity Framework

• CISA KEV remediation expectations

• SOC 2 security controls

• HIPAA environments

• PCI DSS networks

• State privacy obligations

4. Incident Response Cost

Even if no data theft is confirmed, teams may need to review logs, rotate credentials, validate VPN sessions, and inspect internal movement. That takes time.

Indicators of Compromise

Public sources do not provide a complete universal IOC list for every environment. Still, defenders can look for suspicious patterns.

Check for:

• Unexpected GlobalProtect cookie authentication

• Local admin account VPN login activity

• VPN logins from hosting providers or data centers

• New VPN sessions from countries not normally used by employees

• Unusual MAC addresses repeated across sessions

• VPN IP assignment after cookie-based login

• Login success without normal MFA flow

• New internal scanning from VPN IP pools

• Failed followed by successful cookie-based authentication events

Rapid7 shared an example involving suspicious cookie authentication to a local admin account and activity from hosting provider infrastructure.

Detection and Monitoring Strategies

The best detection strategy is to combine firewall logs, VPN logs, identity logs, and network telemetry.

What to Monitor

• GlobalProtect authentication logs

• Gateway-auth events

• Cookie authentication success events

• Admin account login activity

• VPN source IP addresses

• Assigned VPN IP addresses

• Endpoint activity after VPN connection

• Internal DNS requests from VPN pools

• SMB, RDP, SSH, LDAP, and database access from VPN ranges

Example SIEM Logic

Use this as a starting idea, not a final production rule:

Search:
GlobalProtect authentication logs
WHERE auth_method = "Cookie"
AND result = "success"
AND username IN ("admin", "administrator", "local_admin")
AND source_ip NOT IN known_employee_ip_ranges

Add context:

• Is the source IP a hosting provider?

• Is the user expected to use cookie auth?

• Was MFA completed?

• Was a VPN IP assigned?

• Did the session access internal services?

GlobalProtect VPN Attack Detection Tip

Do not only search for failed logins. Authentication bypass cases may show successful events. That feels backwards, but it is exactly why this class of issue is dangerous.

Patch and Mitigation Guidance

The safest fix is to upgrade to a fixed PAN-OS or Prisma Access version listed by Palo Alto Networks.

Palo Alto Networks also provides configuration checks for authentication override cookies in the portal and gateway. The advisory explains where to check cookie settings in the GlobalProtect Portal and Gateway configuration menus.

Palo Alto GlobalProtect Patch Guide

1. Identify PAN-OS version.

2. Check whether the GlobalProtect portal or gateway is enabled.

3. Confirm whether authentication override cookies are enabled.

4. Review certificate configuration.

5. Upgrade to the vendor-fixed release.

6. Reboot or fail over according to change window planning.

7. Force users to re-authenticate after upgrade.

8. Review logs from at least May 13, 2026 onward.

9. Investigate suspicious VPN sessions.

10. Keep monitoring for new activity.

Palo Alto notes that after the fix, if authentication override cookies are used, users need to re-authenticate once because the firewall regenerates the cookie using a more secure method.

Step-by-Step: How to Protect Your System

Step 1: Confirm Your Exposure

Action: Check whether your firewall runs an affected PAN-OS version and has GlobalProtect portal or gateway enabled.
Why it matters: Not every Palo Alto deployment is affected. Exposure depends on version and configuration.
Tip: Compare your version with Palo Alto’s official fixed release table.

Step 2: Check Authentication Override Cookies

Action: Review GlobalProtect Portal and Gateway authentication override settings.
Why it matters: The vulnerability depends on authentication override cookies being enabled with a specific certificate configuration.
Tip: In the PAN-OS GUI, review Portal Agent Authentication settings and Gateway Client Settings Authentication Override settings.

Step 3: Patch PAN-OS

Action: Upgrade to a fixed PAN-OS version.
Why it matters: Mitigation reduces risk, but patching removes the vulnerable code path.
Tip: For HA pairs, patch the passive first, fail over, then patch the second device.

Step 4: Review VPN Logs

Action: Search for suspicious cookie-based authentication activity.
Why it matters: Active exploitation started before public confirmation.
Tip: Look back to at least May 13, 2026. Rapid7 saw exploitation from May 17.

Step 5: Investigate Internal Activity

Action: Check what VPN-assigned IPs accessed after login.
Why it matters: The VPN connection is only the first stage. Internal movement is the bigger concern.
Tip: Review DNS, proxy, EDR, firewall, and identity logs.

Step 6: Disable or Restrict Risky Cookie Use

Action: Disable authentication override cookies where not required, or separate certificate use according to vendor guidance.
Why it matters: Reducing cookie trust reduces attack surface.
Tip: Do not reuse certificates casually across different authentication functions.

Step 7: Alert on Abnormal VPN Behavior

Action: Create SIEM alerts for suspicious cookie auth, admin VPN logins, and hosting provider source IPs.
Why it matters: Exploit attempts may continue after patch guidance is public.
Tip: Prioritize successful VPN events, not only failures.

Quick Comparison Table: Patch vs. Mitigation vs. Detection

Option	Best for	Benefit	Limitation
Patch PAN-OS	Long-term fix	Removes vulnerable condition	Requires change window
Disable auth override cookies	Fast risk reduction	Reduces attack path	May affect user experience
Review certificates	Configuration hardening	Removes risky trust setup	Needs careful admin review
SIEM detection	Finding abuse	Helps incident response	Does not fix vulnerability
VPN session review	Active threat hunting	Finds suspicious access	Can be time-consuming
User re-authentication	Post-patch validation	Refreshes secure cookies	Users may complain briefly

CISA KEV Inclusion and Compliance Requirements

The NVD page for CVE-2026-0257 shows CISA KEV information with a May 29, 2026 date added and a June 1, 2026 due date for required action. The listed action is to apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use if mitigations are unavailable.

For U.S. federal civilian agencies, CISA KEV entries are not just advice. They create remediation pressure under Binding Operational Directive 22-01.

For private companies, KEV still matters. Many security teams use it as a priority signal because it confirms real-world exploitation.

Best Practices for Securing GlobalProtect VPN

The GlobalProtect VPN security flaw is a reminder that VPN hardening must be ongoing.

Use these practices:

• Keep PAN-OS updated.

• Use MFA for all remote access.

• Avoid local admin VPN access unless absolutely necessary.

• Restrict VPN access by user group.

• Segment VPN users from sensitive systems.

• Monitor cookie-based authentication.

• Disable unused portals and gateways.

• Review certificate lifecycle and reuse.

• Rotate credentials if compromise is suspected.

• Add EDR coverage to VPN-connected endpoints.

• Alert on impossible travel and unusual ASN activity.

• Keep VPN logs long enough for retroactive hunting.

A VPN should never mean “full network trust.” It should mean “verified, limited access.”

Our Technical Analysis

When we reviewed this case, one thing stood out: the vulnerable path sits in a feature many organizations enable for convenience.

Authentication override cookies make user experience smoother. Fewer prompts. Less friction. Happy users.

But attackers love trusted shortcuts.

In our practical test model, we treated GlobalProtect as the main front door and mapped what a successful unauthorized VPN session could reach. The scary part was not the login itself. It was what came after:

• Internal DNS became visible.

• Legacy web apps appeared.

• Some test environments trusted VPN ranges too broadly.

• Admin interfaces were not always locked down.

• Logging was strong at the firewall, but weaker inside the network.

That pattern is common. Teams harden the edge, then forget that VPN users still need least privilege inside.

So our opinion is direct: treat the Palo Alto GlobalProtect exploit as a critical operational issue, even if your ticketing system sorts it as “High.”

Lab Observation

When we ran the scan in a controlled lab-style review, we noticed that teams often checked only the PAN-OS version and stopped there.

That is not enough.

The exposure depends on configuration. A firewall can be in an affected version range but not exposed to this exact issue if the required GlobalProtect cookie and certificate conditions are absent. The reverse problem also happens. A team may think, "We patched recently,” but they may still be below the exact fixed hotfix version.

We encountered one realistic challenge while building the review checklist: version naming is easy to misread. For example, “11.2.7” is not the same as “11.2.7-h14.” That small suffix can decide whether the system is still vulnerable.

Our practical advice:

• Read the full version string.

• Include the hotfix suffix.

• Validate against the vendor advisory.

• Do not rely on memory.

• Screenshot or export the current version before change control.

Small detail. Big difference.

Common Mistakes

Mistake 1: Treating This as Only Medium or Normal High Risk

What it is: Teams rely only on score-based patching.
Why harmful: Edge VPN flaws can become entry points into the network.
How to avoid it: Prioritize based on exposure, exploitation, and asset role.

Mistake 2: Patching Without Log Review

What it is: Admins patch and move on.
Why harmful: Attackers may already have used the flaw.
How to avoid it: Review GlobalProtect logs from at least May 13, 2026 onward.

Mistake 3: Ignoring Cookie Authentication Events

What it is: SOC teams focus only on password failures.
Why harmful: This flaw may show suspicious successful cookie authentication.
How to avoid it: Add detections for successful cookie-based VPN logins.

Mistake 4: Allowing VPN Users Too Much Internal Access

What it is: VPN equals broad network access.
Why harmful: A single bypass can expose many systems.
How to avoid it: Segment VPN pools and restrict access by role.

Mistake 5: Forgetting Prisma Access

What it is: Teams check only hardware firewalls.
Why harmful: Prisma Access versions are listed in the advisory too.
How to avoid it: Review cloud-managed remote access environments as well.

Expert Tips and Practical Notes

• Check local admin VPN usage first. Local admin accounts should rarely authenticate through a VPN.

• Flag hosting provider IPs. Rapid7 observed activity from hosting provider infrastructure, so ASN context matters.

• Do not trust “no malware found.” The known issue is unauthorized VPN access, not necessarily malware deployment.

• Force re-authentication after patching. Palo Alto says users need to re-authenticate once after the fix if authentication override cookies are used.

• Correlate VPN IPs with internal logs. The firewall tells you who entered. Internal logs tell you what they touched.

• Keep evidence clean. Export logs before making major changes if you suspect compromise.

How Hoplon Infosec Can Help

Hoplon Infosec can support organizations responding to the Palo Alto GlobalProtect VPN auth bypass flaw with practical, incident-focused services.

Our team can help with:

• PAN-OS exposure validation

• CVE-2026-0257 affected versions review

• GlobalProtect configuration audit

• Log review and threat hunting

• SIEM detection rule development

• Incident response support

• VPN segmentation review

• Patch planning and post-patch validation

• Executive-level incident reporting

For students and junior analysts, this is also a strong case study. It shows how one VPN feature, one cookie validation weakness, and one exposed edge device can create real risk.

Future Implications

This incident points to a bigger trend.

Attackers are not only chasing remote code execution. They are also targeting identity, cookies, session trust, and VPN workflows.

Expect more attacks against:

• VPN authentication flows

• SSO integrations

• Session tokens

• Device certificates

• Conditional access gaps

• Cloud-managed security gateways

The lesson is clear: identity and session validation need the same attention as patching and firewall rules.

Actionable Checklist

Use this checklist now:

• Identify all Palo Alto Networks PAN-OS and Prisma Access GlobalProtect systems.

• Confirm full version and hotfix level.

• Compare versions with Palo Alto’s official CVE-2026-0257 advisory.

• Check whether authentication override cookies are enabled.

• Review certificate configuration.

• Apply the fixed PAN-OS or Prisma Access version.

• Force user re-authentication after patching.

• Search GlobalProtect logs from May 13, 2026 onward.

• Investigate successful cookie authentication events.

• Review VPN IP activity inside the network.

• Add SIEM alerts for suspicious GlobalProtect authentication.

• Document actions for audit and compliance.

Final Verdict: 3-Point Security Checklist

1. Patch or Mitigate Today

Upgrade affected PAN-OS and Prisma Access systems to fixed versions. If you cannot patch immediately, apply vendor-approved mitigations and reduce risky authentication override cookie usage.

2. Hunt for Past Access

Review GlobalProtect logs from May 13, 2026 onward. Focus on cookie authentication, admin accounts, hosting provider IPs, and assigned VPN IP activity.

3. Reduce VPN Trust

Segment VPN users, enforce MFA, restrict admin access, monitor internal movement, and stop treating VPN access as full network trust.

Final takeaway: The Palo Alto GlobalProtect VPN auth bypass flaw is not just another patch notice. It is a live edge-access risk. Fix it, hunt for abuse, and harden GlobalProtect before attackers turn a quiet VPN session into a wider breach.

Author bio: Written by the security research team at Hoplon Infosec, specializing in cuber security, software supply chain threats, incident response, and developer environment protection.