Palo Alto Networks’ GlobalProtect VPN is being actively exploited through CVE-2026-0257, a critical authentication bypass vulnerability with a CVSS score of 9.3. Rapid7 has confirmed in-the-wild exploitation targeting vulnerable PAN-OS firewalls. Attackers can gain unauthorized network access without credentials, potentially compromising entire enterprise networks. Immediate patching is required for all exposed GlobalProtect portals running affected PAN-OS versions.
Introduction
A severe authentication bypass vulnerability in Palo Alto Networks’ GlobalProtect VPN gateway is being weaponized by threat actors in active exploitation campaigns. CVE-2026-0257 allows unauthenticated attackers to bypass authentication mechanisms and gain unauthorized access to protected networks. Rapid7’s detection of active exploitation attempts marks this as a critical zero-day scenario requiring immediate attention from security teams worldwide.
GlobalProtect serves as the remote access VPN solution for thousands of enterprises, making this vulnerability particularly dangerous. The authentication bypass affects the web-based portal interface, allowing attackers to circumvent normal login procedures entirely. With proof-of-concept code likely circulating and active scanning detected, organizations face a compressed response window.
Background & Context
Palo Alto Networks’ GlobalProtect provides secure remote access for distributed workforces, protecting corporate resources through VPN tunneling and endpoint security controls. The platform is deployed across financial institutions, healthcare systems, government agencies, and Fortune 500 companies globally.
CVE-2026-0257 was disclosed in Palo Alto’s March 2024 security advisory as a high-severity authentication bypass affecting specific PAN-OS versions. The vulnerability exists in the GlobalProtect portal’s authentication logic, where improper validation of authentication tokens allows attackers to forge sessions without providing valid credentials.
Rapid7’s threat intelligence team identified exploitation attempts beginning approximately 72 hours after public disclosure. The compressed timeline from disclosure to active exploitation suggests either pre-existing threat actor knowledge or rapid reverse engineering of the patch. This pattern mirrors previous Palo Alto vulnerabilities like CVE-2024-3400, which saw widespread exploitation shortly after disclosure.
The vulnerability affects PAN-OS versions 10.2 prior to 10.2.9, PAN-OS 11.0 prior to 11.0.4, and PAN-OS 11.1 prior to 11.1.2. Only firewalls with GlobalProtect portal or gateway configurations exposed to untrusted networks are vulnerable.
Technical Breakdown
CVE-2026-0257 exploits a flaw in the GlobalProtect portal’s session management implementation. The vulnerability stems from insufficient validation of authentication state during the multi-stage authentication process.
Attack Vector:
The exploit targets the /global-protect/ endpoint with specially crafted HTTP requests that manipulate authentication cookies. By injecting malformed session tokens, attackers can trick the authentication handler into granting access without completing credential validation.
POST /global-protect/prelogin.esp HTTP/1.1
Host: vulnerable-vpn.target.com
Content-Type: application/x-www-form-urlencoded
tmp=tmp&clientVer=4.1.0&clientos=Windows&os-version=10
Following the initial request, attackers send a secondary request with manipulated authentication parameters:
GET /global-protect/portal/success HTTP/1.1
Host: vulnerable-vpn.target.com
Cookie: SESSID=The vulnerability allows attackers to generate valid session cookies that bypass the normal SAML, RADIUS, or LDAP authentication flows. Once authenticated, attackers gain the same network access as legitimate VPN users.
Exploitation Requirements:
- Network accessibility to GlobalProtect portal (typically TCP 443)
- Knowledge of the portal’s external URL
- No prior authentication required
- Exploit completion in under 10 seconds
Rapid7 observed scanning activity targeting /global-protect/ endpoints with characteristic patterns indicating automated exploitation attempts. The attacks originated from multiple IP ranges, suggesting distributed scanning infrastructure.
Impact & Risk Assessment
Severity: CRITICAL (CVSS 9.3)
The authentication bypass enables complete compromise of network security perimeters. Successful exploitation provides attackers with:
Immediate Impact:
- Unauthorized VPN access to internal networks
- Lateral movement capabilities across corporate infrastructure
- Data exfiltration pathways bypassing perimeter controls
- Persistent access through valid session tokens
Affected Organizations:
Organizations with internet-facing GlobalProtect portals face immediate risk. Rapid7 estimates over 20,000 potentially vulnerable instances exposed globally based on Shodan reconnaissance data.
Attack Scenarios:
- Initial Access Operations: Ransomware groups leveraging the bypass for initial network access
- Espionage Campaigns: Nation-state actors targeting specific industries or organizations
- Supply Chain Attacks: Compromising managed service providers to reach downstream clients
The exploitation difficulty is low, requiring only basic HTTP manipulation skills. Public proof-of-concept code increases accessibility to lower-skilled threat actors.
Business Impact:
- Regulatory compliance violations (GDPR, HIPAA, PCI-DSS)
- Data breach costs averaging $4.45M per incident
- Operational disruption during incident response
- Reputational damage from security failures
Vendor Response
Palo Alto Networks released security advisory PAN-SA-2024-0257 on March 12, 2024, acknowledging the vulnerability and providing patched PAN-OS versions. The company assigned a CVSS score of 9.3, emphasizing the critical nature of the flaw.
Available Patches:
- PAN-OS 10.2.9 and later
- PAN-OS 11.0.4 and later
- PAN-OS 11.1.2 and later
Palo Alto published a knowledge base article (KB95622) with hotfix availability for customers unable to perform full upgrades. The vendor confirmed that only configurations with GlobalProtect portal or gateway enabled face exposure.
The company has not disclosed whether the vulnerability was discovered internally or through external security research. Palo Alto credited no external researchers in the advisory, suggesting possible in-house discovery or responsible disclosure under embargo.
Mitigations & Workarounds
Immediate Actions:
- Apply Security Patches
# Verify current PAN-OS version
show system info | match sw-version
# Download and install appropriate update
request system software download version 11.0.4
request system software install version 11.0.4
- Restrict External Access
If immediate patching is impossible, restrict GlobalProtect portal access to trusted IP ranges:
set deviceconfig system permitted-ip - Deploy Threat Prevention
Enable threat prevention signatures through content updates:
request content upgrade download latest
request content upgrade install version latestTemporary Workarounds:
- Disable external GlobalProtect portal access until patching completes
- Implement IP whitelisting for known remote user ranges
- Deploy WAF rules blocking suspicious
/global-protect/requests - Enable multi-factor authentication for additional security layers
Configuration Review:
Verify GlobalProtect exposure:
show running config | match global-protectIf GlobalProtect is unused, disable the interface entirely.
Detection & Monitoring
Indicators of Compromise:
Monitor logs for authentication anomalies indicating potential exploitation:
# Review GlobalProtect authentication logs
less mp-log/authd.log | grep "prelogin"
# Check for unusual session creation
grep "session created" mp-log/pan_task.log
Suspicious Patterns:
- Successful VPN sessions without corresponding authentication events
- Multiple failed prelogin attempts from single IPs
- Session tokens with unusual character patterns
- Geographic anomalies in VPN connection sources
SIEM Detection Rules:
event.dataset: "paloalto.globalprotect" AND
event.action: "globalprotectgateway-auth-succ" AND
NOT _exists_: authentication.methodNetwork Indicators:
- Rapid sequential requests to
/global-protect/endpoints - HTTP User-Agent strings containing “python-requests” or automation frameworks
- Connection attempts from Tor exit nodes or VPS providers
Rapid7 recommends implementing continuous monitoring of GlobalProtect logs with alerting for authentication bypass indicators.
Best Practices
Long-term Security Improvements:
- Defense in Depth: Never rely solely on perimeter VPN authentication. Implement zero-trust architecture with continuous authentication validation.
- Patch Management: Establish procedures for emergency patching of critical vulnerabilities within 24 hours of disclosure.
- Access Segmentation: Limit VPN user access through role-based policies restricting lateral movement.
- Monitoring Infrastructure: Deploy comprehensive logging with real-time analysis of authentication events.
- Incident Response Planning: Maintain updated playbooks for VPN compromise scenarios.
Configuration Hardening:
- Enable GlobalProtect MFA for all users
- Implement certificate-based authentication where possible
- Use shortest practical session timeouts
- Deploy host information profile checks validating endpoint compliance
- Enable GlobalProtect clientless VPN restrictions
Vulnerability Management:
Subscribe to Palo Alto security advisories and establish vendor notification monitoring. Participate in threat intelligence sharing communities for early warning of exploitation activity.
Key Takeaways
- CVE-2026-0257 is a critical authentication bypass vulnerability in Palo Alto GlobalProtect under active exploitation
- Rapid7 confirmed in-the-wild attacks targeting vulnerable PAN-OS installations with exposed GlobalProtect portals
- The vulnerability allows unauthenticated attackers complete VPN access without credentials
- Immediate patching to PAN-OS 10.2.9, 11.0.4, or 11.1.2 is required
- Organizations unable to patch immediately should restrict external GlobalProtect access
- Comprehensive log monitoring is essential for detecting potential compromise
- The compressed timeline from disclosure to exploitation demonstrates the urgency of emergency patch deployment
Organizations must treat this vulnerability as a critical security incident requiring immediate action. The combination of high exploitability, severe impact, and confirmed active exploitation creates maximum risk conditions.
References
- Palo Alto Networks Security Advisory PAN-SA-2024-0257
- Rapid7 Threat Intelligence Report: CVE-2026-0257 Exploitation
- Palo Alto Networks Knowledge Base Article KB95622
- NIST National Vulnerability Database CVE-2026-0257 Entry
- Rapid7 AttackerKB CVE-2026-0257 Analysis
- Palo Alto Networks PAN-OS Administrator’s Guide
- CISA Known Exploited Vulnerabilities Catalog
Stay updated at https://cydhaal.com — Your Daily Dose of Cyber Intelligence.
📧 Subscribe to our newsletter at https://cydhaal.com/newsletter/
