PAN-OS GlobalProtect Authentication Bypass Under Active Exploitation Added to CISA KEV (CVE-2026-0257)

Scope: Palo Alto Networks PAN-OS with GlobalProtect Portal or Gateway Configured

Severity:  Red

An authentication bypass vulnerability (CVSS 9.1) in Palo Alto Networks PAN-OS GlobalProtect allows unauthenticated remote attackers to forge authentication override cookies and establish unauthorized VPN connections to internal networks, exploiting a certificate configuration conflict in deployments where the same certificate is shared between the GlobalProtect authentication override feature and another service such as the HTTPS portal. Rapid7 MDR observed the first confirmed exploitation attempts on May 17, 2026, followed by a second wave on May 21, and CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on May 29 with a federal remediation deadline of June 1, 2026. Organizations must immediately apply the patches released across all affected PAN-OS branches on May 30, 2026, upgrading to PAN-OS 10.2.10, 11.0.5, or 11.1.3 as applicable; where patching cannot be done at once, disable authentication override cookies or apply certificate separation as an interim measure only, and review GlobalProtect VPN authentication logs for suspicious activity from May 17 onwards.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.