PT-2026-40754 · Palo Alto Networks · Pan-Os

Published

2026-05-13

·

Updated

2026-07-10

·

CVE-2026-0257

CVSS v3.1

9.1

Critical

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions PAN-OS versions prior to 10.2.7 PAN-OS version 10.2.8 PAN-OS version 10.2.9 PAN-OS version 10.2.10 PAN-OS version 10.2.11 Prisma Access (affected versions not specified)
Description Authentication bypass flaws in the GlobalProtect portal and gateway allow remote, unauthenticated attackers to bypass security restrictions and establish unauthorized VPN connections. The issue stems from the use of authentication override cookies that lack proper validation of authenticity and integrity. Attackers can forge valid cookies by manipulating specific HTTP form values in POST requests to the authentication endpoint and leveraging the public key of certificates used for cookie encryption. Real-world exploitation has been observed, where attackers used VPS infrastructure to gain access to local admin accounts, subsequently performing internal network reconnaissance and SMB enumeration using tools like Impacket. Panorama and Cloud NGFW are not impacted.
Recommendations Apply the relevant patches provided by Palo Alto Networks for versions prior to 10.2.7, 10.2.8, 10.2.9, 10.2.10, and 10.2.11. Apply the relevant patches provided by Palo Alto Networks for Prisma Access. As a temporary mitigation, disable authentication override cookies and the Cloud Authentication Service (CAS) if they are not required.

Fix

LPE

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-07261
CVE-2026-0257

Affected Products

Pan-Os