Palo Alto VPN Flaw Draws Urgent Patching Arabian Post

(MENAFN- The Arabian Post) clearfix"> Cybersecurity teams are racing to patch a Palo Alto Networks authentication-bypass flaw after confirmed exploitation against exposed GlobalProtect deployments raised the risk profile of a vulnerability first disclosed this month.

Tracked as CVE-2026-0257, the flaw affects PAN-OS firewalls and Prisma Access environments where GlobalProtect portal or gateway services are configured with authentication override cookies and a vulnerable certificate setup. Successful exploitation allows an unauthenticated remote attacker to bypass normal VPN authentication controls and establish an unauthorised GlobalProtect connection, creating a path into protected corporate networks.

The US Cybersecurity and Infrastructure Security Agency added the vulnerability to its Known Exploited Vulnerabilities catalogue on May 29, 2026, signalling that exploitation has moved beyond theoretical risk. The inclusion places additional pressure on federal agencies and contractors, while serving as a wider warning to private-sector organisations that internet-facing VPN infrastructure remains a preferred entry point for threat actors.

Palo Alto Networks has assigned the issue a high severity rating, with a CVSS 4.0 score of 7.8 and its highest suggested urgency level. The company has said it is aware of limited exploit attempts against unpatched PAN-OS devices where mitigations had not been applied. Security researchers have separately observed successful exploitation across several customer environments, with the earliest activity identified on May 17.

The vulnerability is significant because GlobalProtect is commonly used to provide remote access to enterprise networks. While the flaw does not provide remote code execution by itself and does not automatically grant arbitrary administrative control over the firewall, unauthorised VPN access can still expose internal systems, applications and user environments that would otherwise be shielded from the public internet.

See also Iran cyber unit widens aviation attacks

Observed attacker behaviour points to forged authentication cookies being used to impersonate legitimate access. Security teams investigating compromised environments found suspicious cookie-based logins involving local administrative accounts, generic hostnames and spoofed identifiers. Some affected systems accepted forged authentication attempts without completing a full VPN session, while others assigned VPN addresses and gave attackers a foothold inside internal networks.

Two waves of activity have drawn particular attention. One set of attacks involved infrastructure associated with a low-cost hosting provider and suspicious cookie authentication to a local admin account. A later wave used different hosting infrastructure and showed evidence of VPN IP assignment after cookie-based authentication. The activity underlines the speed with which attackers can move once a working exploit path is validated.

The exposure is not universal. A firewall must have GlobalProtect portal or gateway enabled, authentication override cookies in use, and a specific certificate configuration for the vulnerability to be exploitable. Organisations that do not rely on the affected authentication override configuration face lower risk, but administrators are being urged to verify settings rather than assume they are unaffected.

Affected PAN-OS branches include 12.1, 11.2, 11.1 and 10.2, depending on the exact maintenance release installed. Fixed versions include PAN-OS 12.1.4-h6 or 12.1.7 and later, 11.2.4-h17, 11.2.7-h14, 11.2.10-h7 or 11.2.12 and later, 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5 or 11.1.15 and later, and 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, 10.2.18-h6 and later. Prisma Access 10.2 and 11.2 environments are also covered by fixed releases and customer upgrade schedules.

Cloud NGFW and Panorama are not affected by CVE-2026-0257. That distinction is important for large organisations running mixed Palo Alto Networks estates, as remediation priorities will depend on product type, software version and configuration.

See also Middle East telecom networks face C2 abuse

Mitigation guidance focuses on two immediate steps where rapid patching cannot be completed at once. Administrators can disable authentication override by unchecking the relevant options for generating and accepting cookies in GlobalProtect portal and gateway settings. They can also generate and use a dedicated certificate solely for authentication override cookies, ensuring that the certificate is not reused for the portal, gateway or other functions.

Patching remains the preferred course because fixed releases regenerate authentication override cookies using a more secure method. Users may need to re-authenticate after an upgrade even if a valid cookie exists, but that one-time disruption is being weighed against the risk of unauthorised VPN access.

Security teams are also being advised to inspect GlobalProtect authentication logs for unusual cookie-based logins, unexpected local account usage, unknown hostnames, spoofed MAC addresses and connections from hosting providers not normally associated with legitimate users. The most useful defensive approach combines software upgrades, configuration review, log analysis and threat hunting across internal systems that may have been reachable through an unauthorised VPN session.

MENAFN30052026000152002308ID1111187177