PAN-OS CVE-2026-0257: GlobalProtect Authentication Bypass Added to KEV
CISA added PAN-OS CVE-2026-0257 to KEV on 2026-05-29 after limited exploitation of unpatched GlobalProtect portal and gateway configurations that use authentication override cookies.
On this page 0% read
Executive Summary
CISA’s KEV catalog version 2026.05.29 lists CVE-2026-0257 as an actively exploited PAN-OS authentication bypass with a federal due date of 2026-06-01 [Source 1]. Palo Alto Networks says the issue affects GlobalProtect portal and gateway deployments where authentication override cookies are enabled with a specific certificate configuration, and that limited exploit attempts have targeted unpatched systems without mitigations [Source 2].
This is a VPN-edge exposure problem, not a generic PAN-OS compromise claim. Treat an exposed GlobalProtect portal or gateway on a vulnerable PAN-OS branch as a priority access-control incident because successful exploitation can establish an unauthorized VPN connection [Source 1] [Source 2].
Key Facts
event_id: "pan-os-cve-2026-0257-globalprotect-auth-bypass"
cve: "CVE-2026-0257"
vendor: "Palo Alto Networks"
product: "PAN-OS GlobalProtect portal and gateway"
kev_added: "2026-05-29"
kev_due: "2026-06-01"
kev_catalog_version: "2026.05.29"
cvss_v4: "7.8"
exploit_maturity: "attacked"
exposure_condition:
- "GlobalProtect portal or gateway configured"
- "authentication override cookies enabled"
- "specific certificate configuration exists"
not_impacted:
- "Panorama"
- "Cloud NGFW"Source Confidence & Evidence Mapping
- confirmed: CISA lists CVE-2026-0257 in KEV with active exploitation evidence and remediation requirements [Source 1].
- confirmed: Palo Alto Networks marks exploit maturity as
ATTACKED, published the advisory on 2026-05-13, and updated it on 2026-05-29 [Source 2]. - confirmed: Palo Alto Networks describes the vulnerable condition as GlobalProtect portal or gateway authentication override cookie use with a specific certificate configuration [Source 2].
- unclear: Public sources do not provide victim counts, exploitation payloads, or a public packet-level exploit signature.
Impact Determination
| Classification | Criteria | Required evidence | Handling decision |
|---|---|---|---|
| Confirmed compromise | Unauthorized GlobalProtect VPN access or session creation aligns with a vulnerable unmitigated device. | VPN auth/session logs, GlobalProtect gateway logs, identity provider logs, firewall configuration, and user/session ownership evidence. | Isolate the gateway path, revoke suspect sessions, rotate affected VPN credentials, preserve logs, and patch. |
| Presumed exposed | Vulnerable PAN-OS branch, GlobalProtect enabled, authentication override cookies enabled, and no mitigation or fixed release. | PAN-OS version plus portal/gateway configuration export. | Disable authentication override or apply a fixed version before closing exposure. |
| Potentially exposed | PAN-OS branch or GlobalProtect usage is known, but cookie override and certificate configuration are not verified. | Device inventory, running config, Panorama exports, and GlobalProtect portal/gateway settings. | Run config audit and keep the asset in scope until settings are proven negative. |
| Not exposed | Fixed PAN-OS release or GlobalProtect/authentication override cookie path is absent. | Version evidence and configuration evidence. | Archive evidence and monitor for related authentication anomalies. |
Timeline
- 2026-05-13: Palo Alto Networks published the CVE-2026-0257 advisory [Source 2].
- 2026-05-29: Palo Alto Networks updated the advisory and CISA added the CVE to KEV [Source 1] [Source 2].
- 2026-06-01: CISA KEV remediation due date for covered federal agencies [Source 1].
Detection and Hunting
Script: local repository and exported telemetry scope
#!/usr/bin/env python3
import os
import sys
import json
import subprocess
from pathlib import Path
ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-pan-os-cve-2026-0257-globalprotect-auth-bypass-scope"))
SINCE = "2026-05-31T00:00:00Z"
UNTIL = "2026-05-31T23:59:59Z"
PACKAGES = [
]
VERSIONS = [
]
FILES = [
]
DOMAINS = [
]
URLS = [
]
IPS = [
]
HASHES = [
]
PROCESS_PATTERNS = [
]
NETWORK_PATTERNS = [
]
# Positive signal: repository, lockfile, artifact, process, or network telemetry contains one of the exact incident selectors above.
# Escalation: any match tied to a production build, CI run, deployed asset, or secret-bearing host moves the asset to presumed exposed.
OUT.mkdir(parents=True, exist_ok=True)
indicators_file = OUT / "indicators.txt"
# Collect unique indicators
indicators = set()
for group in [PACKAGES, VERSIONS, FILES, DOMAINS, URLS, IPS, HASHES, PROCESS_PATTERNS, NETWORK_PATTERNS]:
for val in group:
if val:
indicators.add(val)
with open(indicators_file, "w") as f:
for ind in sorted(indicators):
f.write(ind + "\n")
print(f"[+] Written unique selectors to {indicators_file}")
# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
dirs[:] = [d for d in dirs if d not in exclude_dirs]
for filename in filenames:
filepath = Path(root) / filename
try:
content = filepath.read_text(errors="ignore")
for ind in indicators:
if ind in content:
matches.append(f"{filepath}: found '{ind}'")
except Exception:
pass
if matches:
(OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
print(f"[!] Found {len(matches)} matches in codebase!")
# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
log_matches = []
for root, _, filenames in os.walk(LOG_ROOT):
for filename in filenames:
filepath = Path(root) / filename
try:
content = filepath.read_text(errors="ignore")
for ind in indicators:
if ind in content:
log_matches.append(f"{filepath}: found '{ind}'")
except Exception:
pass
if log_matches:
(OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
print(f"[!] Found {len(log_matches)} matches in logs!")
if PACKAGES:
registry_dir = OUT / "registry"
registry_dir.mkdir(exist_ok=True)
print(f"[+] Wrote scope artifacts under {OUT}")Remediation
Patch to a fixed PAN-OS release for the deployed branch, or apply Palo Alto Networks’ mitigation by disabling authentication override or using a dedicated certificate for authentication override cookies [Source 2]. After patching, require GlobalProtect users to re-authenticate and review active sessions because the vendor notes the fix regenerates authentication override cookies [Source 2].
For exposed systems, close only after you can show the fixed version, the current GlobalProtect cookie configuration, cleared suspicious sessions, and reviewed identity-provider logs for unauthorized VPN access.
Machine-Readable Event Profile
{
"event_id": "pan-os-cve-2026-0257-globalprotect-auth-bypass",
"cve": "CVE-2026-0257",
"kev_added": "2026-05-29",
"vendor": "Palo Alto Networks",
"product": "PAN-OS GlobalProtect",
"affected_assets": ["GlobalProtect portal", "GlobalProtect gateway", "PAN-OS 10.2", "PAN-OS 11.1", "PAN-OS 11.2", "PAN-OS 12.1"],
"detection_selectors": ["GlobalProtect", "authentication override", "auth cookie", "CVE-2026-0257"],
"source_urls": [
"https://raw.githubusercontent.com/cisagov/kev-data/develop/known_exploited_vulnerabilities.json",
"https://security.paloaltonetworks.com/CVE-2026-0257",
"https://github.com/cisagov/kev-data",
"https://nvd.nist.gov/vuln/detail/CVE-2026-0257"
]
}