Palo Alto Networks Issues Urgent Security Patch Following Active Exploitation of GlobalProtect VPN Vulnerability

CVE-2026-0257 Palo Alto Networks vulnerability GlobalProtect VPN exploit PAN-OS security patch CISA KEV catalog
J
James Okoro

Ethical Hacking & Threat Intelligence Editor

 
June 28, 2026
4 min read
Palo Alto Networks Issues Urgent Security Patch Following Active Exploitation of GlobalProtect VPN Vulnerability

TL;DR

• Palo Alto Networks released an emergency patch for CVE-2026-0257. • The vulnerability allows attackers to bypass VPN authentication protocols. • CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog. • Attackers are actively exploiting the bug in the wild. • Administrators must update PAN-OS immediately to secure enterprise gateways.

Image courtesy of The Hacker News

Palo Alto Networks has just pushed out an emergency patch for a nasty authentication bypass vulnerability, tracked as CVE-2026-0257. This flaw hits the GlobalProtect portal and gateway components of their PAN-OS software, and it’s not something you want to sit on. In short, it lets unauthenticated attackers waltz right past standard login protocols to establish unauthorized VPN connections. For any enterprise relying on these gateways, it’s a massive security headache.

The situation escalated quickly. What started as a standard vulnerability report turned into a high-priority incident once researchers confirmed that bad actors were already using it in the wild. Because of this, the Cybersecurity and Infrastructure Security Agency (CISA) has officially added it to their Known Exploited Vulnerabilities (KEV) catalog. If you haven't patched yet, consider this your wake-up call.

How the Exploit Works

The root of the problem lies in how PAN-OS handles authentication override cookies. If you have your GlobalProtect portal or gateway configured to accept these cookies—a common convenience feature—the system fails to properly validate the session. It essentially leaves the door unlocked. This is particularly dangerous in environments where the Cloud Authentication Service (CAS) is disabled, as it forces the system to rely on an internal mechanism that is currently wide open to manipulation.

The technical mechanics are surprisingly straightforward: by crafting specific requests, an attacker can bypass the need for valid credentials entirely. They’re effectively masquerading as a legitimate user. Rapid7 researchers first spotted this activity on May 17, 2026. The initial probes were traced back to infrastructure hosted on providers like Vultr and Dromatics Systems, which tells us this wasn't just a random glitch—it was a coordinated effort to hunt for exposed VPN gateways.

While Palo Alto Networks initially pegged the risk as moderate, the reality of active exploitation forced them to bump the CVSSv4 score to 7.8. That’s a "High" severity rating, and it accounts for how easy this is to pull off and how much damage an attacker can do once they’re inside your tunnel.

Is Your Infrastructure Vulnerable?

Not every PAN-OS deployment is at risk. It specifically targets systems where "authentication override" is enabled—a feature designed to keep users connected without forcing them to re-login every time their session times out.

To see if you’re in the crosshairs, take a look at your management interface:

  • Head to the Network tab and select GlobalProtect.
  • Dig into your Gateways and Agent settings.
  • Look for the "Accept cookie for authentication override" checkbox.
  • Check if your Cloud Authentication Service (CAS) is disabled. If that box is checked and CAS is off, you’re likely exposed.

Patching and Mitigation

Palo Alto Networks dropped the advisory on May 13, 2026, and confirmed active exploitation by the end of that month. The only real fix is to apply the vendor-supplied patches. Because this is a logic flaw in how cookies are generated and validated, the update fundamentally changes how the system handles sessions.

Action Result
Apply Security Patch Remediates the authentication bypass logic.
Re-authentication Forces a one-time login for all GlobalProtect users.
Prisma Access Automatically updated via the standard maintenance schedule.

Applying the patch will force a one-time re-authentication for all your users. It’s an annoyance, sure, but it’s necessary. The patch forces the system to regenerate authentication cookies using a more secure cryptographic method, which effectively kills off any existing, potentially compromised sessions.

For those running Prisma Access, you’re in luck—Palo Alto Networks is handling the updates automatically. Just keep an eye on your admin console for any maintenance notifications.

The Bigger Picture

The shift from a theoretical bug to an actively exploited one changes everything. Attackers are using commercial hosting providers to scale their efforts, meaning they’re aggressive and well-resourced.

Security teams need to be vigilant. Review your logs for weird authentication patterns or VPN connections from IP ranges that don't make sense. Since this exploit bypasses the login screen, your standard credential-based alerts might not fire. You need to look for successful VPN sessions that lack a corresponding login event—that’s your smoking gun.

As The Hacker News pointed out, the danger here is that once an attacker gets past the portal, they’re essentially a trusted user. They can scan your internal network, move laterally, and drop payloads without anyone being the wiser.

If you can’t patch immediately, do yourself a favor and disable the "Accept cookie for authentication override" feature. Your users might grumble about having to log in more often, but it’s a small price to pay to keep your network secure while you get the update pushed out. Stay tuned to the Palo Alto Networks security advisory portal—the situation is fluid, and further guidance could be coming down the pipe.

J
James Okoro

Ethical Hacking & Threat Intelligence Editor

 

James Okoro is a certified ethical hacker (CEH) and cybersecurity journalist with a background in military intelligence. After serving as a cyber operations analyst, he transitioned into the private sector, working as a threat intelligence consultant before finding his voice as a writer. James has covered major data breaches, ransomware campaigns, and state-sponsored cyberattacks for several leading security publications. He brings a tactical, insider perspective to his reporting on the ever-evolving threat landscape.

Related News

Private Internet Access Updates WireGuard and OpenVPN Protocol Implementations to Strengthen Remote Access Security
WireGuard and OpenVPN protocol security updates

Private Internet Access Updates WireGuard and OpenVPN Protocol Implementations to Strengthen Remote Access Security

Private Internet Access upgrades WireGuard and OpenVPN protocols to boost remote access security, performance, and encryption stability. Learn how it impacts you.

By Viktor Sokolov July 10, 2026 4 min read
common.read_full_article
Critical CitrixBleed Vulnerability Under Active Exploitation Prompts Urgent Security Patch for NetScaler Gateways
CitrixBleed

Critical CitrixBleed Vulnerability Under Active Exploitation Prompts Urgent Security Patch for NetScaler Gateways

Critical vulnerability CVE-2023-4966 is under active exploitation. Patch your NetScaler ADC and Gateway appliances immediately to prevent session hijacking.

By Marcus Chen July 9, 2026 4 min read
common.read_full_article
WatchGuard Issues Third Critical IKEv2 Patch in Ten Months as Legacy Firebox Devices Remain Exposed
CVE-2026-13368

WatchGuard Issues Third Critical IKEv2 Patch in Ten Months as Legacy Firebox Devices Remain Exposed

WatchGuard issues third critical IKEv2 patch in ten months. Learn how CVE-2026-13368 affects your Firebox appliances and the risks to legacy hardware.

By Elena Voss July 8, 2026 4 min read
common.read_full_article
Dropbox Security Breach Prompts Enterprise Review of Encryption Protocols and Remote Access Alternatives for 2026
Dropbox security breach

Dropbox Security Breach Prompts Enterprise Review of Encryption Protocols and Remote Access Alternatives for 2026

Following the Dropbox security breach, enterprises are urgently reviewing encryption protocols and remote access alternatives. Learn the impact and 2026 security trends.

By James Okoro July 7, 2026 4 min read
common.read_full_article