TT-CSIRT – 458.15.06.26- Critical Authentication bypass vulnerabilities in Palo Alto Networks PAN-OS (CVE-2026-0257)
Please be advised that a critical vulnerability, designated as CVE-2026-0257, has been identified in Palo Alto Networks PAN-OS, specifically affecting the portal and gateway components of the PAN-OS software. Successful exploitation of CVE-2026-0257 may allow threat actors to bypass security controls and establish unauthorized VPN connections.
Please note: Palo Alto Networks has confirmed that this vulnerability is being actively exploited in the wild.
Affected Systems and solutions
Panorama and Cloud NGFW are not impacted by these issues.
| Product | Affected Versions | Recommended Solution |
| Cloud NGFW | None | No action required |
| PAN-OS 12.1 | 12.1.2 through 12.1.6 | Upgrade to 12.1.7 or applicable fixed hotfix |
| PAN-OS 11.2 | 11.2.0 through 11.2.11 | Upgrade to 11.2.12 or applicable fixed hotfix |
| PAN-OS 11.1 | 11.1.0 through 11.1.14 | Upgrade to 11.1.15 or applicable fixed hotfix |
| PAN-OS 10.2 | 10.2.0 through 10.2.18-h* | Upgrade to 10.2.18-h6 or applicable fixed hotfix |
| Older PAN-OS versions | Unsupported versions | Upgrade to a supported fixed version |
| Prisma Access 10.2 | 10.2.0 through 10.2.10-h* | Upgrade to 10.2.10-h36 or later |
| Prisma Access 11.2 | 11.2.0 through 11.2.7-h* | Upgrade to 11.2.7-h13 or later |
Recommendations and Mitigation Measures
- TT-CSIRT recommends that organizations using affected Palo Alto Networks PAN-OS versions review the official security advisory : https://security.paloaltonetworks.com/CVE-2026-0257.
Customers are advised to implement one or more of the following mitigation measures to reduce the risk associated with this vulnerability:
- Use a Dedicated Certificate for Authentication Override Cookies
- Generate and deploy a new certificate exclusively for Authentication Override cookies.
- Ensure that the certificate is stored securely and is not reused for the GlobalProtect portal, gateway, or any other features or users.
- Disable Authentication Override
- Disable the Authentication Override functionality by unchecking the options for generating and accepting Authentication Override cookies within the GlobalProtect portal and gateway configurations.
Implementing these measures can significantly reduce the likelihood of successful exploitation until a permanent remediation or security update is applied.
Indicators of Compromise (IoCs)
Palo Alto Networks has also released the following Indicators of Compromise (IoCs) associated with the observed malicious activity:
- IP addresses –
- 23.128.228[.]6
- 104.207.144[.]154
- 146.19.216[.]119
- 146.19.216[.]120
- 146.19.216[.]125
- 179.43.172[.]213
- 185.195.232[.]139
- 198.12.106[.]60
- 202.144.192[.]47
- Host Names and MAC Addresses –
- aa:bb:cc:dd:ee:ff
- 00:11:22:33:44:55
- WINDOWS-LAPTOP-001
- DESKTOP-GP01
- GP-CLIENT
Reference(s):
https://thehackernews.com/2026/06/palo-alto-warns-of-active-exploitation.html
https://thehackernews.com/2026/05/pan-os-globalprotect-authentication.html
https://security.paloaltonetworks.com/CVE-2026-0257
https://nvd.nist.gov/vuln/detail/cve-2026-0257
Contact Information:
If you have any queries, comments or require assistance, please feel free to contact the TT-CSIRT via contacts@ttcsirt.gov.tt
