Concise Cyber

Subscribe below for free to get these delivered straight to your inbox

Advertisements
,
Critical Authentication Bypass Vulnerability in Palo Alto Networks PAN-OS Actively Exploited
Advertisements

Security researchers and threat hunters are responding to an actively exploited authentication-bypass vulnerability impacting Palo Alto Networks customers’ firewalls. The flaw, identified as CVE-2026-0257, affects PAN-OS GlobalProtect portal and gateway devices and allows attackers to bypass authentication mechanisms and establish unauthorized VPN access. According to Palo Alto Networks’ Unit 42, an unidentified threat actor is actively attempting to leverage the vulnerability to gain access to GlobalProtect environments.

The vulnerability stems from improper validation of authentication override cookies, enabling an attacker to forge these cookies using the appliance’s publicly available TLS certificate with a single HTTP request. This allows for unauthorized connection initiation without proper credentials. CISA has added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog on May 29, 2026, highlighting the severity of the situation and urging organizations using affected PAN-OS versions to take immediate action.

Exploitation attempts were first observed in mid-May 2026, with subsequent waves occurring throughout the month. Palo Alto Networks released an advisory regarding the vulnerability on May 13, 2026. While specific patch details are not provided in available sources, organizations should prioritize applying any updates or mitigations recommended by the vendor. The issue is classified under CWE-565 (Reliance on Cookies without Validation and Integrity Checking) and mapped to CAPEC-114 (Authentication Abuse).

Exploitation requires firewalls with GlobalProtect configured with authentication override cookies enabled, along with specific certificate configurations. The Hackers News reported Palo Alto Networks warning of the vulnerability’s active exploitation in the wild. The Belgium CCB has also issued a warning about this actively exploited flaw.

Organizations utilizing Palo Alto Networks PAN-OS and GlobalProtect are strongly advised to review their firewall configurations, disable authentication override cookies where possible, and promptly apply any available security patches or mitigations released by Palo Alto Networks. The ongoing exploitation underscores the importance of maintaining vigilant cybersecurity practices and staying informed about emerging threats.

Sources:

All articles are written here with the help of AI on the basis of openly available information which cannot be independently verified. We do strive to quote the relevant sources.The intent is only to summarise what is already reported in public forum in our own wordswith no intention to plagarise or copy other person’s work.The publisher has no intent to defame or cause offence to anyone, any person or any organisation at any moment.The publisher assumes no responsibility for any damage or loss caused by making decisions on the basis of whatever is published on cyberconcise.com.You’re advised to do your own checks and balances before making any decision, and owners and publishers of this website cannot be held accountable for its resulting ramifications.If you have any objections, concerns or point out anything factually incorrect, please reach out using the form on https://concisecyber.com/about/

Discover more from Concise Cyber

Subscribe now to keep reading and get access to the full archive.

Continue reading