heise PlusAbo

Attacks on Palo Alto Networks PAN-OS GlobalProtect

A vulnerability in Palo Alto's PAN-OS is being exploited, warn the manufacturer and IT security authority CISA.

listen Print view
A company sign is seen at the entrance to the headquarters of Palo Alto Networks, Inc., an American cybersecurity company, in Santa Clara, California.

(Image: Tada Images/Shutterstock.com)

3 min. read
Security
By

A security vulnerability affects Palo Alto Networks' PAN-OS operating system. It allows attackers to bypass security measures and is now being exploited in the wild.

The US cybersecurity authority CISA warns of this. There are no further details beyond the vulnerability number CVE-2026-0257. Palo Alto reported the security vulnerability in mid-May and updated the entry over the weekend. According to the report, attackers can bypass authentication in PAN-OS's GlobalProtect portal and gateway, thus circumventing security measures and establishing unauthorized VPN connections (CVE-2026-0257, CVSS4 7.8, risk “high”). However, Palo Alto classifies the urgency as “highest”.

Not all configurations are vulnerable. The option “Authentication override cookies” must be enabled in the GlobalProtect portal or gateway. Palo Alto does not mention whether this option is active by default but recommends that IT managers check the setting. The update to the entry now includes the note that Palo Alto Networks has become aware of limited attack attempts on unpatched PAN-OS devices. Versions affected include PAN-OS 10.2, 11.1, 11.2, and 12.1, as well as Prisma Access 10.2 and 11.2; Palo Alto is providing updates for various subversions.

Details on Attack Attempts

However, in a blog post, Rapid7 provides an analysis of observed attacks. According to the IT researchers at the IT security company, they observed the first attack attempts on the vulnerability as early as May 17th. They received and investigated an alert message: “Suspicious VPN Authentication – Local Account Logon via Generic Non-Human Identity.” A common factor among several affected customers was that the Cloud Authentication Service (CAS) was deactivated and authentication override cookies were activated. A second wave of attacks occurred on May 21st, which Rapid7 attributes to the same attackers as the first wave, based on observed host IDs. The second wave of attacks led to VPN access with IP address assignment and subsequently access to internal networks. Those interested can find more in-depth information and indicators of compromise (IOCs) in the blog post.

Videos by heise

IT managers should promptly install the available updates and, if necessary, check their systems for IOCs. Vulnerabilities in devices from network equipment provider Palo Alto are often of interest to cybercriminals, as they typically provide access to networks. Around early May, attackers exploited another PAN-OS vulnerability. Updates to close the security gap were still pending.

(dmk)

Don't miss any news – follow us on Facebook, LinkedIn or Mastodon.

This article was originally published in German. It was translated with technical assistance and editorially reviewed before publication.

Beliebte Bestenlisten

Alle Angebote
Newsletter heise-Bot heise-Bot Push Nachrichten Push Push-Nachrichten