Active Exploitation of PAN-OS Authentication Bypass CVE-2026-0257 Prompts Urgent Patch
PAN-OS and Prisma Access are being exploited for CVE-2026-0257, a remote authentication bypass in the non-default Authentication Override feature that lets attackers forge session cookies and bypass login to establish unauthorized GlobalProtect VPN connections. Rapid7 has documented two exploitation waves in May 2026, with indicators including spoofed MAC aa:bb:cc:dd:ee:ff and IPs tied to the waves (e.g., 104.207.144.154; 146.19.216.119/120/125). CISA added the flaw to KEV on May 29, 2026. Patches are available for PAN-OS versions 12.1.4-h6/12.1.7, 11.2.12, 11.1.15, 10.2.18-h6 and Prisma Access 11.2.7-h13+ (or later) or 10.2.10-h36+. Mitigations include disabling authentication override if not needed, using a dedicated cookie-encryption certificate, hunting for IOCs in VPN/GlobalProtect logs, and applying MDR detection rules (e.g., “Suspicious Authentication – Palo Alto GlobalProtect Cookie Authentication to Local Admin Account”). Despite a medium CVSSv4 score, rapid remediation is urged due to active exploitation and a public PoC.