Summary
- Palo Alto Networks says CVE-2026-0257 affects GlobalProtect portal and gateway in PAN-OS under specific authentication override cookie configurations.
- The vendor marks exploit maturity as “attacked” and updated the advisory on 29 May.
- The issue is enterprise-relevant because GlobalProtect sits at the network edge for remote access.
Palo Alto Networks has updated its advisory for CVE-2026-0257, an authentication bypass issue affecting the GlobalProtect portal and gateway in PAN-OS, with the vulnerability now marked as attacked.
The company rates the flaw as high severity, with highest urgency in its advisory system. The issue allows an attacker to bypass security restrictions and establish an unauthorised VPN connection where affected versions and specific configuration conditions are present.
The vendor’s security advisory says the issue affects GlobalProtect portal and gateway in PAN-OS software. Panorama and Cloud NGFW are not impacted. Palo Alto Networks lists the attack vector as network, with low attack complexity, no user interaction, and no privileges required. The company says the issue was discovered internally and that exploitation attempts have been observed.
The configuration condition needs careful handling. The advisory describes authentication bypass vulnerabilities that can be exploited where authentication override cookies are configured in affected ways. Exposure is therefore shaped by product version and configuration state, not by version alone.
GlobalProtect is high-value infrastructure because it controls remote access into enterprise environments. Vulnerabilities at the VPN and secure-access edge have repeatedly been used as initial access points in serious intrusions, including ransomware, espionage, and lateral movement campaigns. Even where a flaw has specific preconditions, unauthorised VPN access can create a substantial path into internal systems.
The advisory’s “attacked” exploit maturity changes the operational priority. A vulnerability known to be exploited cannot sit in the same queue as a theoretical exposure. Organisations need to establish affected versions, confirm GlobalProtect configuration state, apply fixed releases, review logs, and assess whether suspicious access occurred before remediation.
The subsequent impact ratings in the advisory point to the wider concern. Unauthorised access at this layer can place confidentiality and integrity at risk beyond the product itself. A VPN connection is not simply another application session; it can provide a foothold from which an attacker probes identity systems, internal services, administrative interfaces, and file shares.
Remote access infrastructure also remains a governance issue. VPNs are often treated as mature and settled technology, yet the attack surface continues to change through authentication cookies, device posture checks, identity provider integrations, split-tunnel configurations, logging quality, and privileged administrative access. Small configuration differences can decide whether a vulnerability is theoretical or exposed.
UK and European organisations using affected PAN-OS or Prisma Access configurations face the same risk calculus as their global peers. Remote access sits close to regulated-service continuity, supplier access, and incident-reporting duties, particularly in sectors preparing for tighter cyber resilience obligations.
The remediation path should combine patching with assurance. Teams need to verify whether affected versions are deployed, identify whether the vulnerable configuration is present, upgrade to fixed releases, review GlobalProtect authentication and VPN logs, and look for unusual connection patterns. A broader review of remote-access governance is also warranted where edge systems support critical operations or privileged supplier access.
CVE-2026-0257 stands out because it sits on the access boundary and has moved into active exploitation. At that point, vulnerability management and incident-prevention work become the same operational task.
