Palo Alto Networks has confirmed that attackers are actively exploiting a security flaw in PAN-OS GlobalProtect, tracked as CVE-2026-0257 with a CVSS score of 7.8. The vulnerability affects both on-premises firewalls and Prisma Access. Review the Cybersecurity Threat Advisory for recommendations on how to mitigate this risk and protect your clients’ environments.
What is the threat?
CVE-2026-0257 is a security flaw in the GlobalProtect VPN feature of Palo Alto Networks firewalls and Prisma Access. It affects systems where authentication override cookies are enabled and those cookies use the same certificate as the main GlobalProtect web (HTTPS) interface.
These cookies are small pieces of data issued after a successful login. They allow users to reconnect without re-entering their password or MFA credentials. Due to a design flaw, the firewall trusts any cookie it can successfully decrypt. It does not verify that it originally generated the cookie.
An attacker can connect to the GlobalProtect website and obtain the public certificate used by the service. They can then use that information to generate a forged cookie that appears to belong to a legitimate user. When the attacker submits the forged cookie to the GlobalProtect portal or gateway, the firewall may incorrectly authenticate them as a legitimate user. In some cases, this could be a local administrator account. No valid credentials are required.
If successful, the attacker can establish a full VPN session into the organization’s network. They can then access internal systems as though they were a legitimate remote user. Security vendors, including Rapid7 and Palo Alto Networks, have observed this technique in real-world attacks. Reports indicate that attackers are using low-cost cloud hosting providers to scan for and exploit vulnerable GlobalProtect devices.
Why is it noteworthy?
This vulnerability is particularly significant because it affects VPN gateways at the network perimeter. These systems are often the primary method remote users and administrators use to access organizational resources.
If exploited, attackers can bypass normal authentication controls and gain access from the internet as trusted VPN users. Palo Alto Networks, Rapid7, and CISA have all confirmed active exploitation of this vulnerability in real-world environments.
The vulnerability was initially assigned a medium severity score. It was later reassessed because its real-world impact proved more severe than originally estimated.
CISA added CVE-2026-0257 to the KEV catalog. It also required U.S. federal agencies to remediate the issue promptly. These actions underscore the seriousness of the threat.
What is the exposure or risk?
Successful exploitation allows attackers to authenticate through GlobalProtect without a valid username, password, or MFA challenge. As a result, they can gain remote access to internal networks from the internet while appearing to be legitimate VPN users.
The level of access depends on VPN configuration and the account being impersonated. In many environments, this could provide access to critical internal systems, file shares, and administrative tools.
Palo Alto Networks and Rapid7 have not publicly reported evidence of post-compromise activity in observed incidents. However, attackers could still use the access to move deeper into the environment.
Potential follow-on activity may include data theft, credential harvesting, malware deployment, or establishing persistence for future attacks. Because threat actors are actively scanning the internet and targeting vulnerable GlobalProtect systems, any unpatched or misconfigured deployment faces an elevated risk of compromise. Organizations that rely heavily on GlobalProtect for remote connectivity should be especially vigilant. A compromised VPN gateway can bypass multiple layers of internal security controls.
What are the recommendations?
Barracuda recommends the following actions to mitigate risk:
-
- Patch affected devices: Update all PAN-OS and Prisma Access systems to the latest security-fixed versions released by Palo Alto Networks.
- Disable or reconfigure authentication override cookies: Disable GlobalProtect authentication override cookies where possible. If they must remain enabled, configure them to use a dedicated certificate rather than the primary HTTPS or portal certificate.
- Restrict VPN access: Limit access to GlobalProtect portals and gateways through IP allowlists, geo-blocking, or firewall rules that permit connections only from trusted sources.
- Monitor GlobalProtect logs: Review VPN logs regularly for unusual authentication activity, including unexpected cookie-based logins, unfamiliar device names, suspicious locations, or known malicious IP addresses.
- Investigate suspicious activity immediately: Terminate suspicious VPN sessions, reset credentials or authentication tokens, and review internal systems for evidence of unauthorized access.
- Enforce MFA and continuous monitoring: Require multi-factor authentication for all VPN users and consider 24/7 security monitoring services to rapidly identify and respond to VPN-related threats.
References
For more in-depth information about the recommendations, please visit the following links:
- https://thehackernews.com/2026/05/pan-os-globalprotect-authentication.html
- https://thehackernews.com/2026/06/palo-alto-warns-of-active-exploitation.html
- https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
This post originally appeared on Smarter MSP.