Palo Alto Networks confirmed active exploitation of CVE-2026-0257, a Palo Alto GlobalProtect vulnerability that can allow unauthorized VPN access on affected PAN-OS deployments.
The flaw affects GlobalProtect portal and gateway deployments that use authentication override cookies alongside specific certificate configurations, allowing attackers to forge authentication override cookies and bypass authentication controls.
Security researchers observed exploitation attempts against unpatched devices, with some attackers successfully establishing unauthorized VPN sessions in affected environments.
Organizations should apply available PAN-OS security updates and implement Palo Alto Networks’ recommended mitigations, including disabling authentication override where feasible or using a dedicated certificate for authentication override cookies.
Palo Alto Networks has warned that attackers are actively exploiting CVE-2026-0257, a Palo Alto GlobalProtect vulnerability that can allow unauthorized VPN access to affected PAN-OS deployments. The flaw impacts specific GlobalProtect portal and gateway configurations that use authentication override cookies, creating a pathway for attackers to bypass authentication controls under certain conditions.
The company has confirmed limited exploitation attempts against unpatched systems without mitigations applied. Security researchers have also reported successful exploitation in customer environments, including unauthorized VPN access in some cases. The vulnerability was later added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, reinforcing the need for organizations to review exposure, apply PAN-OS updates, and implement vendor-recommended mitigations.
Technical Deep Dive – Understanding the GlobalProtect Authentication Bypass
CVE-2026-0257 is an authentication bypass vulnerability affecting the GlobalProtect portal and gateway in Palo Alto Networks PAN-OS. The issue applies to deployments where authentication override cookies are enabled and a specific certificate configuration exists.
Authentication override allows GlobalProtect to issue a cookie after a successful login. The user can then use that cookie for future access instead of repeatedly re-authenticating.
In vulnerable deployments, attackers may be able to:
Forge authentication override cookies.
Present those cookies to GlobalProtect services as valid authentication artifacts.
Bypass normal authentication controls.
Establish unauthorized VPN access without legitimate user credentials.
According to Palo Alto Networks, exposure requires both authentication override cookies and the affected certificate configuration. Palo Alto recommends using a dedicated certificate for authentication override cookies and not reusing the GlobalProtect portal or gateway certificate for this purpose.
Rapid7 reported exploitation activity involving forged authentication override cookies that targeted the local administrator account. In some affected environments, attackers were able to establish VPN sessions and receive VPN access. Rapid7 also reported that it did not observe confirmed successful lateral movement in the customer environments it investigated.
The operational risk is significant because GlobalProtect gateways often act as trusted entry points into enterprise networks. Successful exploitation could allow attackers to access internal resources available through the VPN connection and may support follow-on activity such as reconnaissance or attempts to expand access.
Top 10 Cybersecurity Challenges for Enterprises
Understanding enterprise cybersecurity risks, mitigation strategies, and resilience.
The Hexnode Solution
While patching remains the primary remediation step, organizations also need visibility into potential post-authentication activity that may occur after unauthorized VPN access is established.
Hexnode XDR can help security teams correlate endpoint telemetry and XDR security alerts with UEM context, such as device compliance status, user identity, and location, to support threat hunting and active containment. This visibility can support threat hunting efforts by helping security teams correlate endpoint telemetry, network logs, and UEM context during investigations.
Hexnode UEM can help enforce device compliance requirements, strengthen device posture management, and support identity-aware access controls. By ensuring that only trusted and compliant devices can access corporate resources, organizations can add additional layers of validation beyond perimeter-based access controls.
Featured resource
Cybersecurity kit
Enterprise cybersecurity kit featuring frameworks, incident policies, checklists, and security best practices.
The active exploitation of CVE-2026-0257 demonstrates the continued risk posed by externally exposed access infrastructure and highlights the importance of secure certificate management practices. Organizations using affected GlobalProtect deployments should prioritize remediation and review logs for signs of unauthorized VPN activity.
Addressing the Palo Alto GlobalProtect vulnerability requires more than patching alone. Strong monitoring, endpoint visibility, layered access controls, and continuous validation of trusted devices can help reduce exposure and improve detection of post-authentication threats.
Strengthen visibility beyond perimeter access
Start a free trial to improve detection and response readiness.
A storyteller for practical people. Breaks down complicated topics into steps, trade-offs, and clear next actions—without the buzzword fog. Known to replace fluff with facts, sharpen the message, and keep things readable—politely.
