Step-by-step actions DevOps and cloud computing teams should take right now to patch the Palo Alto GlobalProtect authentication bypass before attackers strike.

PAN-OS GlobalProtect CVE-2026-0257 Active Exploitation Steps for DevOps Teams

DevOps teams running cloud computing workloads can no longer ignore the active exploitation of CVE-2026-0257 in PAN-OS GlobalProtect. Unauthorized VPN access is already happening in the wild, and the usual patch-and-forget cycle won't cut it this time.

According to the National Vulnerability Database, this flaw carries a CVSS score of 7.8 and was published on May 13, 2026. CISA added it to the Known Exploited Vulnerabilities catalog on May 29, 2026, with a remediation deadline of June 1, 2026. That combination of real-world attacks and a hard federal deadline turns this into an immediate operational priority.

What is CVE-2026-0257 and How Does It Affect PAN-OS GlobalProtect?

CVE-2026-0257 is an authentication bypass in the GlobalProtect portal and gateway components of PAN-OS. A remote unauthenticated attacker can slip past security restrictions and set up an unauthorized VPN connection. Palo Alto Networks confirms that Panorama and Cloud NGFW stay unaffected, so the exposure stays limited to on-premises and virtual firewall deployments that expose GlobalProtect services.

Illustration of the CVE-2026-0257 authentication bypass in PAN-OS GlobalProtect, showing how an attacker uses an override cookie to reach the internal network without credentials. — How the authentication override cookie enables the bypass

The root cause shows up when authentication override cookies are enabled alongside a specific certificate configuration. Attackers use that combo to grab valid session tokens without credentials. The vulnerability is actively being exploited in the wild.

For DevOps teams the business risk stays straightforward. Any organization routing remote access or site-to-site traffic through GlobalProtect portals now faces undetected entry points into cloud environments. Because the attack needs no prior authentication, traditional perimeter monitoring can miss the initial foothold until lateral movement shows up in application logs.

Which PAN-OS Versions Are Vulnerable to CVE-2026-0257?

Palo Alto Networks lists PAN-OS 12.1, 11.2, 11.1, and 10.2 as the affected major releases. The specific upgrades break down like this:

Current Version	Upgrade Target
12.1.5 through 12.1.6	12.1.7 or later
11.2.11 or later	11.2.12 or later
11.1.14 or later	11.1.15 or later
10.2.17 through 10.2.18-h*	10.2.18 or 10.2.18-h6 or later

Teams can check the running version through the CLI command show system info. This gives the exact build string needed to map against the advisory.

Because the vulnerability is configuration-dependent, not every installation of these versions is immediately exploitable. Still, the presence of authentication override cookies on either the portal or gateway raises risk substantially. The configuration checks sit under Network > GlobalProtect > Portals > [Portal Name] > Agent > [Agent Configuration] > Authentication for portals and Network > GlobalProtect > Gateways > [Gateway Name] > Agent > [Client Settings] > Authentication Override for gateways. Any instance with the “Generate cookie for authentication override” or “Accept cookie for authentication override” options enabled needs priority attention.

Immediate Mitigation Steps for DevOps Teams

While patches are staged, temporary measures can reduce exposure quickly.

How to Verify If Your Systems Have Been Compromised

Organizations should verify whether systems have been compromised.

Patching PAN-OS GlobalProtect Inside Microservices Architecture

Upgrading PAN-OS requires coordination. Because authentication override cookies are regenerated during the upgrade, all users will need to re-authenticate once. Schedule the change during a maintenance window and notify application teams that new tokens will be issued automatically after the upgrade completes.

Long-Term Strategies to Prevent Similar Vulnerabilities

Palo Alto Networks has released patches for affected PAN-OS versions and recommends upgrading to the latest versions to address the vulnerability.

By following this sequence, DevOps teams can neutralize CVE-2026-0257 today and embed stronger cybersecurity practices into their cloud computing and microservices architecture operations for the long term. The real test comes when the next advisory lands and the same playbook already exists.