A severe authentication bypass vulnerability (CVE-2026-0257) has been discovered in the GlobalProtect component of Palo Alto Networks' security product, PAN-OS, and active exploitation has been confirmed. This vulnerability allows attackers to bypass authentication, establish unauthorized VPN connections, and potentially infiltrate protected networks. CISA has added this vulnerability to its Known Exploited Vulnerabilities Catalog, urging immediate action.
Vulnerability Overview and Scope of Impact
CVE-2026-0257 is an authentication bypass vulnerability in the GlobalProtect portal and gateway components of Palo Alto Networks PAN-OS. Environments where authentication override cookies are enabled and specific certificate configurations exist are particularly affected. Attackers can remotely exploit this vulnerability without authentication to establish unauthorized VPN sessions. Panorama and Cloud NGFW deployments are not affected.
Specific Impacts and Attack Scenarios
Attackers can establish VPN connections without legitimate authentication credentials by using crafted authentication override cookies. This enables unauthorized access to corporate internal networks, potentially leading to severe consequences such as data theft, system tampering, or even ransomware infection. Rapid7 has observed active exploitation of this vulnerability in multiple customer environments since May 17th, noting that attackers can forge cookies from a public key, especially when misconfigurations lead to the same certificate being used for HTTPS services and cookie encryption functions.
Immediate Actions for Engineers
Palo Alto Networks has already released a corrective patch, and applying it immediately is the highest priority. If patch application is difficult, implement the following mitigation measures. Restricting access to GlobalProtect interfaces using a web server or reverse proxy (e.g., Nginx) is particularly effective as part of a multi-layered defense strategy.
1. **Apply Corrective Patches**: Update to the corrected PAN-OS release provided by Palo Alto Networks as soon as possible.
2. **Disable Authentication Override Feature**: Disable the authentication override feature for GlobalProtect portals and gateways unless absolutely necessary.
3. **Use Dedicated Certificates**: If the authentication override feature must be used, generate and use a dedicated certificate different from the GlobalProtect portal/gateway certificate.
4. **Enforce Multi-Factor Authentication (MFA)**: Enforce multi-factor authentication for all GlobalProtect users to restrict further access from unauthorized sessions.
5. **Strengthen Access Restrictions**: Restrict access to GlobalProtect portal and gateway interfaces to trusted client networks only. Below is an example Nginx configuration allowing access from specific IP addresses.
location /global-protect {
# 許可するIPアドレスまたはCIDR範囲
allow 192.168.1.0/24;
allow 203.0.113.42;
# それ以外のアクセスを拒否
deny all;
# GlobalProtectのエンドポイントへのリバースプロキシ設定など
proxy_pass https://your-globalprotect-endpoint.com;
# その他のproxy_set_headerなどの設定
}