Share
## https://sploitus.com/exploit?id=8ACA06E0-2BAF-5AF0-B97A-1DE1CA40BAF2
# ๐Ÿšจ CVE-2026-0257 - Authentication Bypass Vulnerabilities




**PAN-OS: GlobalProtect Authentication Bypass Vulnerabilities**

![Palo Alto Networks](https://img.shields.io/badge/Vendor-Palo%20Alto%20Networks-red)
![Severity](https://img.shields.io/badge/Severity-HIGH%20%2F%20CRITICAL-orange)
![Published](https://img.shields.io/badge/Published-May%2013%2C%202026-blue)

**Authentication Bypass in GlobalProtect Portal & Gateway**



---

## ๐Ÿ“‹ Table of Contents

- [Overview](#-overview)
- [Severity & Scoring](#-severity--scoring)
- [Description](#-description)
- [Affected Products](#-affected-products)
- [Vulnerable Configuration](#-vulnerable-configuration)
- [Impact](#-impact)
- [Exploitation Status](#-exploitation-status)
- [Patches & Fixes](#-patches--fixes)
- [Mitigations](#-mitigations)
- [References](#-references)
- [Timeline](#-timeline)

---

## ๐Ÿ“Œ Overview

**CVE-2026-0257** is an **authentication bypass vulnerability** affecting the GlobalProtect portal and gateway components of Palo Alto Networks PAN-OS software.

An unauthenticated remote attacker can bypass security restrictions and establish an **unauthorized VPN connection** to affected firewalls.

> **Note**: Panorama and Cloud NGFW are **not impacted**.

---

## โš ๏ธ Severity & Scoring


| Metric              | Score                  | Rating      |
|---------------------|------------------------|-------------|
| **CVSS v4.0**       | 7.8 / 4.7             | **High** / Medium |
| **CVSS v3.x**       | Up to 9.8             | **Critical** |
| **Urgency**         | **HIGHEST**           | -           |



**Vector (CVSS 4.0 example)**:  
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N`

---

## ๐Ÿ“– Description

Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OSยฎ software allow the attacker to bypass security restrictions and establish an unauthorized VPN connection.

The issue stems from **CWE-565: Reliance on Cookies without Validation and Integrity Checking**.

---

## ๐Ÿ›  Affected Products

- **PAN-OS** versions prior to fixed releases (10.2, 11.1, 11.2, 12.1)
- **Prisma Access** (specific versions)
- Firewalls with **GlobalProtect** portal or gateway configured

**Not Affected**:
- Panorama
- Cloud NGFW

---

## ๐Ÿ” Vulnerable Configuration

This vulnerability **requires** the following configuration to be exploitable:

1. GlobalProtect portal **or** gateway is configured
2. **Authentication override cookies** are enabled
3. The authentication override cookie encryption/decryption certificate is **reused** with another feature

---

## ๐Ÿ’ฅ Impact

- **Unauthorized VPN access** to internal networks
- Potential lateral movement by attackers
- Bypass of multi-factor authentication (in certain setups)
- Significant risk to enterprise perimeters

**High impact on confidentiality and integrity** of protected networks.

---

## ๐Ÿ”ฅ Exploitation Status

- **Actively Exploited** in the wild (as of May 17, 2026)
- Rapid7 observed successful exploitation
- Palo Alto Networks confirmed limited exploit attempts
- Added to **CISA Known Exploited Vulnerabilities (KEV)** catalog on May 29, 2026

---

## โœ… Patches & Fixes

**Fixed Versions** (apply **urgently**):

| PAN-OS Version | Fixed Release                  |
|----------------|--------------------------------|
| 12.1           | โ‰ฅ 12.1.4-h6, โ‰ฅ 12.1.7         |
| 11.2           | โ‰ฅ 11.2.4-h17, โ‰ฅ 11.2.7-h14, etc. |
| 11.1           | โ‰ฅ 11.1.4-h33, โ‰ฅ 11.1.7-h6, etc. |
| 10.2           | โ‰ฅ 10.2.7-h34, โ‰ฅ 10.2.10-h36, etc. |

**Prisma Access** also has corresponding fixed versions.

---

## ๐Ÿ›ก๏ธ Mitigations

**Immediate Workarounds** (if patching not possible):

- Disable **authentication override cookies** if not required
- Avoid certificate reuse for GlobalProtect authentication override
- Monitor GlobalProtect logs for suspicious VPN connections
- Restrict management access and enable strict security policies

---

## ๐Ÿ”— References

- [Official Palo Alto Networks Advisory](https://security.paloaltonetworks.com/CVE-2026-0257)
- [NVD Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-0257)
- [Rapid7 Analysis](https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257)
- [CISA KEV Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)

---

## ๐Ÿ“… Timeline


| Date              | Event |
|-------------------|-------|
| **2026-05-13**    | CVE Published + Initial Advisory |
| **2026-05-17**    | Exploitation observed in the wild |
| **2026-05-29**    | Palo Alto update + CISA KEV addition |
| **2026-05-30**    | This Report |


---



**Recommendation**: Patch **immediately** โ€” treat as **critical** despite base CVSS score due to active exploitation.

*Generated in README style โ€” May 30, 2026*