Palo Alto GlobalProtect auth bypass (CVE-2026-0257): what Hawaii businesses should do now

Published June 1, 2026 · HI Tech Hui · ~6 min read

Why this matters for Hawaii businesses

The VPN is supposed to be the front door you control. CVE-2026-0257 turns it into a lockpick. The vulnerability is classified as CWE-565 (Reliance on Cookies without Validation and Integrity Checking): in a specific configuration, an unauthenticated, remote attacker can forge a GlobalProtect authentication-override cookie and “bypass security restrictions and establish an unauthorized VPN connection” (Palo Alto Networks advisory).

For Hawaii organizations, GlobalProtect often sits at the edge of healthcare, finance, legal, and government-contractor networks — exactly the environments where an unauthorized inside connection is most damaging. Palo Alto Networks has “become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied,” and CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog with a June 1, 2026 remediation date for covered federal agencies. KEV deadlines are a federal mandate, but they are also the clearest urgency signal the rest of us get for free.

What exactly is the flaw?

GlobalProtect has a non-default feature called authentication override. When enabled, the portal or gateway issues a session cookie so users don’t have to re-authenticate every connection — functionally a bearer token. The cookie is encrypted and decrypted with a certificate you configure.

The problem appears when that same certificate is also used for another service, such as the portal or gateway HTTPS service. Because the device trusts the cookie’s decrypted contents without verifying a signature, an attacker who can obtain the public key — for example, by connecting to the HTTPS service — can craft a cookie the firewall will accept. No valid credentials required.

This is why configuration, not just version, decides your exposure.

Are you affected? A 4-point exposure check

You are in scope only if all of the following are true on an internet-reachable PAN-OS firewall:

• A GlobalProtect portal or gateway is configured.
• Authentication override is enabled — the Generate cookie for authentication override or Accept cookie for authentication override option is checked.
• The certificate used for those cookies is shared with another service (e.g., the portal/gateway HTTPS service), rather than being dedicated.
• The PAN-OS version is below the fixed release for its branch (see below).

Not affected: Palo Alto Networks states that Panorama and Cloud NGFW are not impacted. Prisma Access is affected and has its own fixed builds (Palo Alto Networks advisory).

The fix: patch to a fixed PAN-OS release

The durable remediation is to upgrade to a fixed maintenance release on your branch. Per the vendor advisory, fixed versions include (consult the advisory for your exact hotfix build):

• PAN-OS 12.1: 12.1.4-h6, 12.1.7 and later
• PAN-OS 11.2: 11.2.4-h17, 11.2.7-h14, 11.2.10-h7, 11.2.12 and later
• PAN-OS 11.1: 11.1.4-h33 and the listed 11.1 hotfix builds and later
• PAN-OS 10.2: 10.2.7-h34 and the listed 10.2 hotfix builds and later
• Prisma Access: 10.2.10-h36, 11.2.7-h13 and later

Operational note: after the upgrade, GlobalProtect users will need to re-authenticate once even if they hold a valid cookie. Plan a brief user comms note so the help desk isn’t surprised (Palo Alto Networks advisory).

If you can’t patch in the next maintenance window

Palo Alto Networks publishes two interim mitigations. Both are stopgaps — not replacements for patching:

• Use a dedicated certificate for authentication override cookies. Generate a new certificate used exclusively for that purpose, store it securely, and stop reusing the portal/gateway certificate.
• Disable authentication override entirely — uncheck the Generate/Accept cookie for authentication override options. Users will re-authenticate per session, which is a small price during an active-exploitation window.

If you apply a mitigation, document it with an owner and a target patch date. A mitigation with no patch date is a permanent risk in disguise.

Where this fits in a patch-triage model

This is a textbook Lane A item: internet-facing, no authentication required, and confirmed exploited. It belongs in the urgent lane regardless of the headline CVSS number — exposure and exploitability outrank a score. (We wrote about this prioritization approach in patch triage signals that actually work and about treating KEV as an SLA in using the CISA KEV catalog as a patching SLA.)

A 24-hour action plan

1. Inventory: identify every PAN-OS firewall with a GlobalProtect portal/gateway exposed to the internet.
2. Check config: determine whether authentication override is enabled and whether the cookie certificate is shared.
3. Decide: patch now, or apply a vendor mitigation and schedule the patch.
4. Hunt: review GlobalProtect and admin authentication logs for unexpected cookie-based logons or VPN IP assignments, and validate against your own baselines.
5. Verify: after patching, confirm the running PAN-OS build is a fixed release and that the re-authentication change rolled out cleanly.

FAQ for executives

Do we have to act if we’re not a federal agency?

Yes. The June 1, 2026 KEV date is a federal deadline, but the underlying fact — an internet-facing VPN flaw under active exploitation — applies to everyone. Use the deadline as your internal due date.

How do we know we weren’t already hit?

Look for cookie-based authentications to admin or local accounts and VPN IP assignments that don’t map to known users, and compare against your normal access patterns. If you don’t centralize firewall and VPN logs today, this incident is a strong reason to start — detection only works if the evidence exists.

Sources

• Palo Alto Networks Security Advisory — CVE-2026-0257 PAN-OS: GlobalProtect Authentication Bypass Vulnerabilities
• CISA — Known Exploited Vulnerabilities Catalog
• MITRE — CWE-565: Reliance on Cookies without Validation and Integrity Checking

---

Need help checking your GlobalProtect exposure and patching safely? HI Tech Hui provides managed IT and cybersecurity services — including patch management, edge-device hardening, and 24/7 monitoring through our SOC. Contact us for a remote-access readiness review.