PT-2026-40754 · Palo Alto Networks · Pan-Os
Published
2026-05-13
·
Updated
2026-07-10
·
CVE-2026-0257
CVSS v3.1
9.1
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
PAN-OS versions prior to 10.2.7
PAN-OS version 10.2.8
PAN-OS version 10.2.9
PAN-OS version 10.2.10
PAN-OS version 10.2.11
Prisma Access (affected versions not specified)
Description
Authentication bypass flaws in the GlobalProtect portal and gateway allow remote, unauthenticated attackers to bypass security restrictions and establish unauthorized VPN connections. The issue stems from the use of authentication override cookies that lack proper validation of authenticity and integrity. Attackers can forge valid cookies by manipulating specific HTTP form values in POST requests to the authentication endpoint and leveraging the public key of certificates used for cookie encryption. Real-world exploitation has been observed, where attackers used VPS infrastructure to gain access to local admin accounts, subsequently performing internal network reconnaissance and SMB enumeration using tools like Impacket. Panorama and Cloud NGFW are not impacted.
Recommendations
Apply the relevant patches provided by Palo Alto Networks for versions prior to 10.2.7, 10.2.8, 10.2.9, 10.2.10, and 10.2.11.
Apply the relevant patches provided by Palo Alto Networks for Prisma Access.
As a temporary mitigation, disable authentication override cookies and the Cloud Authentication Service (CAS) if they are not required.
Fix
LPE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Pan-Os