Secure Cyber Vulnerability Management

01/06/2026
Qualys-Threat-Protect

CISA Warns of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257)

by Deepanshu Jha

CISA has warned about active exploitation of a vulnerability impacting the GlobalProtect portal and gateway of Palo Alto Networks’ PAN-OS software. Tracked as CVE-2026-0257, the vulnerability may allow a remote unauthenticated attacker to successfully establish a VPN connection through the GlobalProtect gateway of an affected appliance.

Palo Alto has also mentioned in their advisory that they are aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied. CISA added the vulnerability to its Known Exploited Vulnerabilities Catalog and urged users to patch it before June 1, 2026.

In Palo Alto Networks PAN-OS, GlobalProtect is an endpoint and remote access VPN solution. The Portal handles management, authentication, and client configuration, while the Gateway serves as the data plane that processes VPN traffic and enforces security policies.

Pre-requisite

This vulnerability affects firewalls configured with a GlobalProtect portal or gateway that have authentication override cookies enabled and a specific certificate configuration. To determine whether authentication override cookies are enabled, follow the steps below:

On the Portal:

  1. Navigate to Network > GlobalProtect > Portals in the management interface.
  2. Click on your Portal Name and go to the Agent tab.
  3. Click on your Agent Configuration profile.
  4. Go to the Authentication tab.
  5. Generate a cookie for authentication override, or accept a cookie for authentication override options are checked.

On the Gateway:

  1. Navigate to Network > GlobalProtect > Gateways in the management interface.
  2. Click on your Gateway Name and go to the Agent tab.
  3. Click on your Client Settings profile.
  4. Go to the Authentication Override tab.
  5. Accept cookie for the authentication override option is checked.

Vulnerability Details

The vulnerability exists in GlobalProtect’s authentication override feature, which allows authenticated users to receive a cookie that can later be presented to the portal or gateway, bypassing the need to re-enter credentials. Functionally, these cookies behave like bearer tokens and are not enabled by default.

Successful exploitation of the vulnerability depends on a specific certificate configuration. The certificate used to encrypt and decrypt authentication override cookies must be exposed via another service, such as the portal or gateway’s HTTPS interface. When this occurs, an attacker can obtain the corresponding public key.

Analysis of the GlobalProtect service revealed that incoming authentication override cookies are decrypted using the configured private key and then trusted without verifying their integrity through a digital signature or similar validation mechanism. Because the decrypted contents are accepted as authentic, anyone possessing the matching public key can create a forged cookie containing arbitrary user information.

If the same certificate is reused for both HTTPS services and authentication override cookies, attackers can retrieve the public key from the server’s certificate chain and use it to generate valid-looking cookies. Once submitted to the GlobalProtect portal or gateway, these forged cookies may be accepted as legitimate, enabling authentication bypass and potentially granting VPN access without valid credentials.

Affected versions

  • PAN-OS 12.1 versions before PAN-OS 12.1.4-h6
  • PAN-OS 11.2 versions before PAN-OS 11.2.4-h17
  • PAN-OS 11.1 versions before PAN-OS 11.1.4-h33
  • PAN-OS 10.2 versions before PAN-OS 10.2.7-h34

Mitigation

Users must upgrade to the following versions to patch the vulnerability:

  • PAN-OS 12.1 version PAN-OS 12.1.4-h6 and later
  • PAN-OS 11.2 version PAN-OS 11.2.4-h17 and later
  • PAN-OS 11.1 version PAN-OS 11.1.4-h33 and later
  • PAN-OS 10.2 version PAN-OS 10.2.7-h34 and later

For more information, please refer to the Palo Alto Networks Security Advisory.

Qualys Detection

Qualys customers can scan their devices with QID 734231 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://security.paloaltonetworks.com/CVE-2026-0257

Comments are closed.

You may also like