Inside CVE-2026-0257: PAN-OS GlobalProtect Authentication Bypass Under Active Attack

A critical authentication bypass vulnerability, CVE-2026-0257, affects Palo Alto Networks PAN-OS GlobalProtect Portal and Gateway deployments. The vulnerability allows a remote, unauthenticated attacker to establish an unauthorized VPN connection by exploiting weaknesses in the handling of authentication override cookies.

The issue arises when specific certificate configurations are used alongside the authentication override feature. An attacker can craft a malicious authentication cookie that is accepted by the affected system, allowing VPN access without valid credentials. As the vulnerability impacts remote access infrastructure, successful exploitation can expose internal network resources to unauthorized users.

CVE-2026-0257: 

Vulnerability: Authentication Bypass 

CVSS Score: 9.1 

EPSS Score: 41.50%

The vulnerability stems from improper validation of authentication override cookies.

Authentication override is a feature that allows users to reconnect without repeatedly providing credentials. When a specific certificate configuration exists, the same certificate used by the GlobalProtect HTTPS service may also be used for authentication override operations.

Because the public portion of the certificate is accessible through the HTTPS service, an attacker can obtain the certificate and generate a forged authentication override cookie. Due to insufficient integrity validation, the affected system may trust the crafted cookie and grant access without performing normal authentication checks.

Step 1: Identify an Exposed GlobalProtect Instance
The attacker locates an internet-facing GlobalProtect Portal or Gateway running a vulnerable configuration.

Step 2: Obtain the Public Certificate
The attacker connects to the HTTPS service exposed by the GlobalProtect Portal or Gateway and retrieves the publicly available certificate.

Step 3: Analyze Authentication Override Configuration
The attacker determines whether the deployment uses the vulnerable certificate configuration associated with authentication override cookies.

Step 4: Create a Forged Authentication Cookie
Using information obtained from the certificate, the attacker generates a crafted authentication override cookie containing manipulated authentication data.

Step 5: Send Authentication Request
The forged cookie is included in a request to the GlobalProtect Portal or Gateway.

Step 6: Bypass Authentication Validation
Because the affected system does not properly validate the integrity of the authentication override cookie, the request is accepted.

Step 7: Establish Unauthorized VPN Access
The attacker successfully establishes a VPN connection without providing valid user credentials.

Step 8: Access Internal Resources
After gaining VPN access, the attacker can interact with internal systems and services that are accessible through the VPN environment.

• Authentication Security Controls Are Bypassed
• Unauthorized Remote Access Is Established
• Internal Network Exposure
• Internal Reconnaissance
• Access to Sensitive Information

Initial Access → Identify Exposed GlobalProtect Portal/Gateway → Obtain Public HTTPS Certificate → Identify Vulnerable Authentication Override Configuration → Forge Authentication Override Cookie → Submit Malicious Authentication Request → Bypass Authentication Validation → Establish Unauthorized VPN Connection → Access Internal Resources → Perform Internal Reconnaissance and Further Network Activities

• Upgrade affected PAN-OS installations to a vendor-fixed version.
• Disable the authentication override feature if it is not required.
• Restrict VPN users to only the resources necessary for their role.
• Implement network segmentation to limit exposure of critical systems.

Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications. 

It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction. 

Experience the fastest and most accurate patching software here.