Palo Alto Networks Unit 42 reports active exploitation attempts against CVE-2026-0257, an authentication-bypass vulnerability affecting PAN-OS GlobalProtect portal and gateway components. The issue is especially important because GlobalProtect often sits directly on the public internet and becomes part of the identity perimeter for remote access.
According to Palo Alto Networks, the observed activity includes attempts to access GlobalProtect, with a smaller subset of probed devices producing successful gateway-connected events. The company also notes that the vulnerability affects firewalls with GlobalProtect portal or gateway configured when authentication override cookies are enabled with a specific certificate configuration. Palo Alto’s official advisory says limited exploit attempts have been observed against unpatched devices where mitigations were not applied.
Why this matters
For SMBs, managed service providers, and government contractors, VPN infrastructure is not “just another perimeter service.” It is a trust broker. If an attacker can bypass authentication or establish an unauthorized GlobalProtect session, the organization may be dealing with a foothold that looks like normal remote access instead of noisy malware.
That changes the response playbook. Patching is required, but it is not enough by itself. Defenders should assume the edge device may have already been probed and should review GlobalProtect logs for successful gateway-connected events, suspicious host identifiers, and unusual source infrastructure around the exploitation window.
What defenders should do now
- Identify exposure: Confirm which PAN-OS firewalls host GlobalProtect portals or gateways and whether they are internet-facing.
- Check the risky configuration: Review whether authentication override cookies are enabled for GlobalProtect client settings and compare the deployment against Palo Alto’s advisory guidance.
- Patch or mitigate: Upgrade to a fixed PAN-OS release where available or apply the vendor-recommended mitigations if patching cannot happen immediately.
- Hunt successful sessions: Review GlobalProtect logs for successful gateway-connected events tied to the indicators and suspicious client values published by Unit 42.
- Preserve logs: Export firewall, GlobalProtect, identity provider, endpoint, and VPN session telemetry before retention windows roll over.
- Validate identity controls: Confirm MFA enforcement, conditional access, certificate use, and device posture checks still apply to GlobalProtect flows.
- Limit management-plane access: Keep firewall management interfaces off the public internet and restrict admin access to trusted networks and named operators.
Hunting focus
Unit 42 published IP addresses and suspicious host values tied to observed activity. Use those as a starting point, but do not stop there. The higher-value detection is successful VPN session creation that does not match expected users, devices, geographies, hostnames, MAC patterns, or endpoint posture.
Defenders should pay particular attention to:
- New or rare source IPs establishing GlobalProtect sessions.
- Generic host IDs or device names such as default-looking Windows laptop names.
- Authentication override cookie behavior around the patch window.
- VPN sessions without corresponding normal user activity.
- Follow-on access to file shares, RDP, admin portals, or cloud consoles after VPN connection.
Bulwark Black assessment
CVE-2026-0257 is another reminder that the edge is now an identity system. VPN gateways, firewalls, SASE connectors, and remote management appliances deserve the same treatment as domain controllers and cloud identity providers: tight change control, strong telemetry, rapid patching, and post-exploitation review when active exploitation is reported.
The practical move is to treat this as a compromise-review event, not just a vulnerability-management ticket. If a GlobalProtect gateway was vulnerable and exposed, defenders should validate whether anyone got in before the fix landed.
Original sources: Unit 42 threat brief on active exploitation of CVE-2026-0257; Palo Alto Networks security advisory.
