PAN-OS: GlobalProtect Authentication Bypass Vulnerabilities
Act NowCVSS 7.8CVE-2026-0257May 13, 2026
Palo Alto Networks
IT in OT - Palo Alto firewalls are commonly deployed at IT/OT network boundaries
Summary
Authentication bypass vulnerabilities in GlobalProtect portal and gateway allow attackers to bypass security restrictions and establish unauthorized VPN connections. An attacker can connect to your network without providing valid credentials if Authentication Override is enabled. Panorama and Cloud NGFW are not impacted.
What this means
What could happen
An attacker can bypass authentication on GlobalProtect portals and gateways to establish unauthorized VPN connections without valid credentials. This could allow remote access to your network and critical infrastructure systems.
Who's at risk
Organizations using Palo Alto Networks PAN-OS firewalls or Prisma Access cloud-based connectivity for remote access. This affects any municipality or utility with remote workers, engineers, or contractors connecting via GlobalProtect VPN. Panorama management appliances and Cloud NGFW deployments are not affected.
How it could be exploited
An attacker sends a crafted request to the GlobalProtect portal or gateway authentication endpoint. By exploiting the authentication bypass flaw, they can forge or manipulate authentication tokens to establish a VPN session without providing valid credentials. Once connected, they gain network access equivalent to a legitimate remote user.
Prerequisites
- Network access to the GlobalProtect portal or gateway public IP address
- Authentication Override feature must be enabled in the GlobalProtect configuration
remotely exploitableno authentication requiredaffects remote access securitydefault configuration vulnerable
Exploitability
Actively exploited — confirmed by CISA KEV
Affected products (6)
6 with fix
ProductAffected VersionsFix Status
PAN-OSBelow 12.1.4-h612.1.4-h6 (ETA: 05/18)+
PAN-OSBelow 12.1.712.1.7 (ETA: 05/28)+
Prisma AccessBelow 11.2.4-h1711.2.4-h17 (ETA: 05/28)+
Prisma AccessBelow 11.2.7-h1411.2.7-h14 (ETA: 05/14)+
Prisma AccessBelow 11.2.10-h711.2.10-h7 (ETA: 05/14)+
Prisma AccessBelow 11.2.1211.2.12 (ETA: 05/28)+
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDDisable Authentication Override in GlobalProtect portal and gateway configuration settings
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
PAN-OS
HOTFIXUpdate PAN-OS to version 12.1.4-h6 or later (12.1.7 for extended support)
Prisma Access
HOTFIXUpdate Prisma Access to version 11.2.4-h17, 11.2.7-h14, 11.2.10-h7, or 11.2.12 as applicable to your deployment
All products
HARDENINGIf Authentication Override is required, generate and use a dedicated certificate exclusively for authentication override cookies instead of reusing the portal or gateway certificate
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/f4434d92-a382-42b7-8e80-166e57e39807Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.