Key Highlights
A critical vulnerability, CVE-2026-0257, has been identified in the GlobalProtect portal and gateway of
PAN-OS, allowing for authentication bypass. This vulnerability can lead to unauthorized VPN connections,
posing a significant risk to affected systems..
Impact
The vulnerability poses a high risk to large and medium government and business entities, while the risk
is low for home users. Successful exploitation can lead to unauthorized access, data manipulation, and
potential data exfiltration.
Details
• The vulnerability, CVE-2026-0257, affects PAN-OS’s GlobalProtect portal and gateway, allowing
attackers to bypass security restrictions under specific conditions.
• Conditions for exploitation include enabled authentication override cookies and specific
certificate configurations.
• Affected systems include PAN-OS versions:
o PAN-OS 11.2 < 11.2.4-h17, 11.2 < 11.2.7-h14, 11.2 < 11.2.10-h7, 11.2 < 11.2.12
o PAN-OS 11.1 < 11.1.4-h33, 11.1 < 11.1.6-h32, 11.1 < 11.1.7-h6, 11.1 < 11.1.10-h25, 11.1 <
11.1.13-h5, 11.1 < 11.1.15
o PAN-OS 10.2 < 10.2.7-h34, 10.2 < 10.2.10-h36, 10.2 < 10.2.13-h21, 10.2 < 10.2.16-h7, 10.2
< 10.2.18-h6
o Prisma Access 11.2.0 < 11.2.7-h13, 10.2.0 < 10.2.10-h36
• Tactic: Initial Access (TA0001)
• Technique: Exploit Public-Facing Application (T1190)
Exploitation Activity
• Limited exploit attempts have been observed on unpatched PAN-OS devices.
• The vulnerability is listed in CISA’s Known Exploited Vulnerabilities Catalog, indicating active
exploitation.
Recommended Actions
• Apply updates provided by Palo Alto Networks to affected systems immediately after testing.
• Maintain a documented vulnerability management process and update it annually or when
significant changes occur.
• Perform regular application updates and vulnerability scans on enterprise assets.
• Implement the Principle of Least Privilege and manage default accounts on enterprise assets.
• Use capabilities to detect and block exploit conditions and enable anti-exploitation features.