External risk intelligence

Palo Alto Networks PAN-OS Authentication Bypass Vulnerability

CVE advisoryKnown Exploit

CVE-2026-0257

Authentication bypass vulnerabilities in Palo Alto Networks' PAN-OS software allow attackers to circumvent security measures and establish unauthorized VPN connections. This could lead to the compromise of network traffic and internal systems by granting attackers unauthorized network access.

5Halo Surface Signal

Authentication Bypass

Paloaltonetworks Pan Os

before 10.2.710.2.710.2.810.2.910.2.1010.2.1110.2.1210.2.1310.2.1410.2.1510.2.1610.2.17

External exposure likelihood

Halo Surface Signal score for CVE-2026-0257

This vulnerability affects GlobalProtect portals and gateways, which are network security appliances explicitly designed to be internet-facing to facilitate remote access and VPN connectivity for users.

PCI scan relevance

PCI Relevance for CVE-2026-0257

Yes

CVE-2026-0257 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

Authentication bypass vulnerabilities in Palo Alto Networks PAN-OS allow unauthorized VPN connections, potentially impacting systems that process, store, or transmit cardholder data. This is relevant for PCI compliance as it circumvents security controls.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:A/V:D/RE:M/U:Red

Horizon Alert

Summary of the vulnerability and why it matters

A high-severity vulnerability has been identified in Palo Alto Networks' PAN-OS software affecting its GlobalProtect portal and gateway. This flaw allows attackers to bypass security restrictions and establish unauthorized VPN connections, potentially granting them access to internal networks.

  • Bypass security to gain unauthorized VPN access.
  • Affects critical remote access infrastructure.
  • Assess exposure and apply vendor updates.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by targeting the GlobalProtect portal or gateway of Palo Alto Networks' PAN-OS software. No authentication is required, allowing an unauthorized user to bypass security controls and establish a VPN connection. This could potentially lead to significant unauthorized access and data compromise due to the ability to establish a network presence within the protected environment.

  • No authentication needed for access.
  • Bypasses security to create VPN.
  • Risk of unauthorized network access.

Live Threat

Current exploitation, exposure, and threat context

Attackers could bypass security controls to establish unauthorized VPN connections when supported by the advisory. This could expose network traffic and potentially allow unauthorized access to internal systems.

  • Network traffic and system access at risk.
  • Unauthorized VPN connections could be established.
  • Facilitates further unauthorized network access.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The security teams responsible for Palo Alto Networks GlobalProtect portals and gateways should take the lead on this issue. The first practical step is to identify all instances of the affected PAN-OS software, confirm their exposure and criticality, and then identify the accountable owner for each. Planning remediation should be based on the assessed risk.

  • Identify and confirm exposure for all instances.
  • Determine accountable owners and assess business criticality.
  • Plan remediation based on risk and vendor guidance.

Frequently asked questions

What is Palo Alto Networks PAN-OS software and its GlobalProtect component?

Palo Alto Networks PAN-OS is the operating system for their Next-Generation Firewalls. GlobalProtect is a feature within PAN-OS that provides secure remote access VPN connections, allowing users to access internal networks from outside the corporate perimeter [16].

What type of vulnerability does CVE-2026-0257 describe and what is its weakness class?

CVE-2026-0257 is an authentication bypass vulnerability. This weakness, classified as CWE-565, stems from the firewall relying on cookies without sufficient validation and integrity checking, allowing attackers to bypass security restrictions [3, 6, 8].

How can an attacker exploit CVE-2026-0257 to gain unauthorized VPN access?

An attacker can exploit this vulnerability by forging an authentication override cookie. If the GlobalProtect portal or gateway is configured with authentication override cookies enabled and a specific certificate configuration, the attacker can present this forged cookie to bypass normal credential checks and establish an unauthorized VPN connection [3, 8, 10].

What is the significance of CVE-2026-0257 affecting GlobalProtect portals and gateways?

The vulnerability's impact is significant because it affects internet-facing VPN services that act as a bridge between the public internet and trusted enterprise networks. Exploitation can lead to unauthorized VPN access, potentially granting attackers a foothold within the internal network [8, 10, 17].

What steps should be taken to respond to CVE-2026-0257?

Organizations should treat this as both a vulnerability management task and a lightweight incident investigation. Key actions include applying vendor-supplied patches immediately, reviewing logs for suspicious activity before and after patching, and considering disabling the authentication override feature or using a dedicated certificate for it as interim mitigations [2, 6, 10, 11].

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified