(TLP:CLEAR) Vulnerability Notification – Active Exploitation of Palo Alto Networks GlobalProtect Authentication Bypass Vulnerability, CVE-2026-0257

ACTION MAY BE REQUIRED for utilities using Palo Alto Networks PAN-OS firewalls with GlobalProtect VPN functionality enabled. Utilities that outsource technology support may need to consult their service providers for assistance with remediation actions.

Summary: An authentication bypass vulnerability affecting Palo Alto Networks PAN-OS and Prisma Access is being actively exploited in the wild. Tracked as CVE-2026-0257, the vulnerability impacts devices configured with GlobalProtect authentication override cookies and a specific certificate configuration. Successful exploitation could allow a remote attacker to bypass authentication controls and establish an unauthorized VPN connection to affected environments.

This vulnerability is particularly concerning for utilities because GlobalProtect VPN infrastructure often provides remote access for enterprise networks, operational personnel, contractors, and critical support systems. A successful authentication bypass could provide attackers with a foothold inside trusted network environments, potentially enabling lateral movement, credential theft, or access to systems supporting OT environments.

Analyst Note: WaterISAC strongly encourages members to address the vulnerability and update systems according to Palo Alto Network’s recommendations in its advisory. WaterISAC advises impacted members to patch immediately and to follow the Workarounds and Mitigations in the advisory, which include any of the following:

• Use a dedicated certificate for Authentication Override cookies
• Disable Authentication Override

Additional Reading

• Rapid7 Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257)