Palo Alto GlobalProtect CVE-2026-0257 Exploited | RECATOOLS — Practical Tools. Trusted Intelligence.

Palo Alto GlobalProtect Flaw CVE-2026-0257 Is Under Active Exploitation — Patch or Mitigate Now

Photo by katielwhite91 on Pixabay

CYBERSECURITY · 19 Jun 2026 —

Palo Alto Networks has confirmed active exploitation of CVE-2026-0257, an authentication-bypass vulnerability in the GlobalProtect portal and gateway components of its PAN-OS software. The company published the advisory on 13 May 2026 and updated it on 29 May after becoming aware of "limited exploit attempts on unpatched PAN-OS devices without mitigations applied." Successful exploitation lets a remote, unauthenticated attacker bypass security controls and establish an unauthorised VPN connection through an affected gateway. Palo Alto currently rates the issue 7.8 High under its CVSS-BT scoring (CVSS v4.0), while NVD and Singapore's Cyber Security Agency (CSA) list a CVSS v3.1 base score of 9.1 Critical. Operationally, the point is not the label but the combination of unauthenticated VPN access and confirmed exploitation. CISA added the flaw to its Known Exploited Vulnerabilities catalog on 29 May 2026 with a 1 June federal remediation deadline.

What the flaw is

The root cause, per Palo Alto's advisory, is CWE-565 — reliance on cookies without proper validation and integrity checking. In affected configurations, the device trusts a GlobalProtect authentication-override cookie it can decrypt without confirming that the device itself legitimately issued it. Authentication override is a convenience feature: it issues a cookie to an already-authenticated user so they do not have to re-enter credentials on every reconnection. The defect turns that convenience into a gap an attacker can walk through to reach the VPN.

Exposure is conditional, not universal. The issue affects firewalls only where a GlobalProtect portal or gateway is configured with authentication-override cookies enabled and a specific certificate configuration present. Not every GlobalProtect deployment uses that feature or the vulnerable certificate setup, which is why exposure has to be checked rather than assumed. Crucially, Panorama and Cloud NGFW are not impacted. That narrows the population of vulnerable devices, but it does not lower the urgency for any organisation running an internet-facing GlobalProtect portal in that configuration — a common remote-access setup.

What is confirmed, and what is reported

The vulnerability was discovered internally and initially carried a lower, medium-severity score of 4.7 before Palo Alto raised its rating as real-world exploitation and public proof-of-concept code emerged. Independent telemetry fills in the picture. Rapid7 reported successful exploitation across numerous customer environments, with the earliest observed activity dating to 17 May 2026, and — importantly — said it "did not observe any indication of successful lateral movement" from the compromised devices. Arctic Wolf reported a rise in active exploitation in early June and confirmed that public PoC exploit code now exists, which lowers the skill bar for opportunistic attacks. Palo Alto's own Unit 42 team attributes the activity to an unidentified threat actor.

The honest reading of that evidence: this is an authentication bypass that grants network-level access equivalent to a legitimate VPN user, and no post-access lateral movement has been reported so far. That is a snapshot, not a guarantee — a foothold on a perimeter device is exactly the kind of access that gets used later, and a published PoC means the window for low-effort exploitation is open now.

How to fix it

Patching is the fix; the mitigations below are interim only.

Palo Alto has shipped fixes across every affected branch. The advisory lists the exact fixed release for each branch — the top-line targets are 12.1.7, 11.2.12, 11.1.15 and 10.2.18-h6, with branch-specific hotfixes also available — and any older, unsupported PAN-OS build should be moved to a supported fixed version. Palo Alto says Prisma Access customers are being upgraded on a managed schedule, but PAN-OS firewall operators need to verify their own exposure and apply the relevant fixed release or mitigation themselves.

If you cannot patch immediately, the advisory documents two interim mitigations: generate a dedicated certificate used only for authentication-override cookies (never reused from the portal or gateway certificate), or disable authentication override entirely by unchecking the generate- and accept-cookie options on the portal and gateway. Note one operational side effect of the fix: after upgrading, GlobalProtect users will have to re-authenticate once, because the device regenerates the override cookie using a more secure method.

For detection, Unit 42 and Rapid7 recommend hunting GlobalProtect logs for successful gateway-connected events tied to unfamiliar host IDs or device names — Unit 42's threat brief lists examples such as GP-CLIENT, DESKTOP-GP01 and WINDOWS-LAPTOP-001, along with placeholder MAC addresses (for example aa:bb:cc:dd:ee:ff) and a set of known malicious source IPs to search for.

What it means for the region

GlobalProtect is widely deployed across ASEAN, including by Singapore enterprises and public-sector bodies, as the remote-access layer in front of corporate networks. Singapore's CSA issued its own alert classifying CVE-2026-0257 as critical and actively exploited, and urged immediate patching. The 1 June CISA deadline is binding only on US federal agencies, but the exposure and the remedy are identical everywhere: any organisation in the region running an internet-facing GlobalProtect portal or gateway in the affected configuration should treat this as an immediate patch-or-mitigate item, not scheduled maintenance. Internet-facing GlobalProtect portals and gateways are the first thing to check.

Key Takeaways

CVE-2026-0257 is an authentication-bypass in PAN-OS GlobalProtect (portal and gateway) that lets a remote, unauthenticated attacker establish an unauthorised VPN connection. Palo Alto rates it CVSS-BT 7.8 (high); NVD and Singapore's CSA list CVSS v3.1 9.1 (critical).
Palo Alto confirmed exploitation in its 29 May advisory update; CISA added it to the KEV catalog on 29 May 2026 with a 1 June federal deadline; public PoC code now exists.
Panorama and Cloud NGFW are not affected; exposure requires GlobalProtect with authentication-override cookies enabled and a specific certificate configuration.
Fix by upgrading to the advisory's fixed release for your branch (top-line targets 12.1.7, 11.2.12, 11.1.15 or 10.2.18-h6). Interim options: a dedicated cookie certificate, or disabling authentication override.

Cyber Team's VerdictAdvisory

Treat CVE-2026-0257 as urgent regardless of which score you read — Palo Alto's CVSS-BT 7.8 or the 9.1 Critical that NVD and Singapore's CSA assign. The limitation worth stating plainly is that absence of observed lateral movement is not evidence of safety — it reflects what defenders have seen to date, not what the access enables, and unauthenticated VPN entry into a corporate network is a high-value foothold regardless of what came next. What should drive action here is the combination: a perimeter device, a remote unauthenticated bypass, confirmed in-the-wild exploitation, and public PoC code. That is the profile of a flaw that is likely to be mass-scanned. Patch to a fixed version; if you genuinely cannot, apply Palo Alto's interim mitigations today and schedule the upgrade, rather than treating the mitigation as the finish.

Sources & cross-checks

Primary: CISA Known Exploited Vulnerabilities Catalog — CVE-2026-0257 added 29 May 2026 with a 1 June 2026 FCEB remediation deadline — https://www.cisa.gov/known-exploited-vulnerabilities-catalog
Corroborated: Singapore Cyber Security Agency (CSA) alert AL-2026-064 — regional official warning that CVE-2026-0257 is critical (CVSS v3.1 9.1) and actively exploited, advising immediate patching — https://www.csa.gov.sg/alerts-and-advisories/alerts/al-2026-064/
Verified: CVSS wording distinguishes Palo Alto's CVSS-BT 7.8 High (v4.0) from the NVD/CSA CVSS v3.1 score of 9.1 Critical; fixed-version numbers were copied from Palo Alto's current advisory; the absence of observed lateral movement is cross-checked against both Rapid7 and Unit 42; references to management interfaces were avoided to prevent conflation with separate PAN-OS issues.

Tags: #Cybersecurity #CVE #Patch-Management #pan-os #vpn

Cyber Team

Cybersecurity Desk

Cyber Team is RECATOOLS’ cybersecurity desk, covering vulnerabilities, breaches, threat intelligence, and practical security guidance.

View author profile → · Editorial policy

About this byline Cyber Team is a specialist RECATOOLS editorial desk focused on cybersecurity coverage. Articles are produced and reviewed under RECATOOLS editorial supervision.