Impact statement: PAN-OS CVE-2026-0257 is a high-risk GlobalProtect authentication bypass issue. Palo Alto Networks says affected PAN-OS and Prisma Access builds can allow an attacker to bypass security restrictions and establish an unauthorized VPN connection when the vulnerable GlobalProtect configuration is present. CISA added the issue to the Known Exploited Vulnerabilities catalog on May 29, 2026, after Palo Alto updated the advisory for limited exploit attempts against unpatched devices without mitigations.
This is a firewall-edge problem, not a routine desktop patch. If your business, MSP, hosting network, or remote-work environment uses Palo Alto GlobalProtect, check exposure today, apply Palo Alto’s mitigation guidance, and move affected firewalls to a fixed release during the next controlled maintenance window.
Who Is Affected
The risk applies to PAN-OS firewalls with GlobalProtect portal or gateway configured when authentication override cookies are enabled and the certificate setup matches Palo Alto’s advisory conditions. Prisma Access is also listed for affected 10.2 and 11.2 builds. Palo Alto lists Cloud NGFW and Panorama as not impacted by this issue.
The practical question for admins is simple: do you run GlobalProtect, and are you using authentication override cookies? If yes, treat this as urgent until the device is confirmed mitigated or patched.
Fixed PAN-OS Targets
Use Palo Alto’s advisory as the source of truth before scheduling work, because hotfix targets can change quickly during active incidents. As of this update, the fixed targets listed through the CVE record include:
- PAN-OS 12.1: 12.1.7, 12.1.4-h6, or later fixed builds.
- PAN-OS 11.2: 11.2.12, 11.2.10-h7, 11.2.7-h14, 11.2.4-h17, or later fixed builds.
- PAN-OS 11.1: 11.1.15, 11.1.13-h5, 11.1.10-h25, 11.1.7-h6, 11.1.6-h32, 11.1.4-h33, or later fixed builds.
- PAN-OS 10.2: 10.2.18-h6, 10.2.16-h7, 10.2.13-h21, 10.2.10-h36, 10.2.7-h34, or later fixed builds.
- Prisma Access 11.2: 11.2.7-h13 or later.
- Prisma Access 10.2: 10.2.10-h36 or later.
What To Do Now
- Confirm whether GlobalProtect is enabled. Review every internet-facing firewall and any managed Prisma Access tenant that provides remote-access VPN.
- Check authentication override cookie use. If the feature is enabled for GlobalProtect portal or gateway behavior, compare the configuration against Palo Alto’s advisory.
- Use a dedicated certificate for authentication override cookies. Palo Alto lists this as one mitigation path. Do not reuse the portal or gateway certificate for this purpose.
- Disable authentication override where it is not required. This may force more frequent sign-ins, but it reduces exposure while you schedule the fixed PAN-OS release.
- Patch to the fixed build for your branch. Back up the configuration, read release notes, and schedule a maintenance window that accounts for GlobalProtect user reauthentication.
- Review VPN access logs and account activity. Look for unusual remote-access sessions, unexpected source countries, unfamiliar users, and failed or unusual authentication patterns around the exposure window.
High Availability Upgrade Notes
For HA firewall pairs, avoid patching both units blindly. Confirm config sync, health state, content versions, and session handling before maintenance. Patch the passive unit first where your design allows it, fail over intentionally, verify traffic, then patch the remaining unit. Keep a rollback plan, but remember that a rollback to a vulnerable build may reintroduce risk.
Palo Alto notes that after the fix, GlobalProtect users may need to reauthenticate once because affected authentication override cookies are regenerated using a more secure method. Plan help desk coverage and user communication before the maintenance window starts.
Post-Patch Verification
- Confirm the running PAN-OS or Prisma Access version matches the fixed target for your branch.
- Confirm GlobalProtect portal and gateway status after the maintenance window.
- Verify remote users can reconnect through normal authentication flows.
- Review VPN, system, and authentication logs for unusual sessions before and after the change.
- Confirm HA state, VPN tunnels, NAT, security-policy hits, logging, and monitoring alerts.
- Update customer or staff notices with the final patch status and any expected one-time reauthentication requirement.
Customer Communication
For MSPs, web hosts, and businesses with remote staff, the message should stay factual: a GlobalProtect authentication bypass issue is now in CISA KEV, Palo Alto has fixed builds and mitigations, VPN users may need to sign in again after patching, and admins should review VPN access logs after maintenance. Do not publish firewall management details or internal access diagrams in customer-facing notices.
Related Fix I.T. Phill Guidance
If you also use the User-ID Authentication Portal, review our earlier PAN-OS CVE-2026-0300 mitigation guide. That is a separate PAN-OS issue with a different exposure path, so do not assume one mitigation covers the other.
