A critical authentication bypass in Palo Alto Networks PAN-OS is currently being actively exploited in the wild, posing an immediate risk of unauthorized network access.

This is an authentication bypass vulnerability allowing unauthenticated attackers to establish unauthorized VPN sessions by forging authentication override cookies. The flaw occurs when specific certificate configurations are present, enabling attackers to circumvent standard login requirements.

With a CVSS score of 9.5, this vulnerability represents a critical risk to organizational infrastructure. Successful exploitation allows unauthorized actors to gain VPN access, potentially leading to full network compromise, data exfiltration, and significant operational disruption. The inclusion of this CVE in the CISA KEV catalog confirms that active exploitation is occurring, significantly elevating the urgency for immediate remediation.

Immediate Action: Upgrade to the patched versions listed in the vendor advisory (e.g., PAN-OS 11.2.12, 11.1.15, 10.2.18-h6, or newer) immediately. If patching is not immediately feasible, disable authentication override cookies on GlobalProtect portals and gateways as a temporary mitigation.

Proactive Monitoring: Review VPN authentication logs for anomalous or high-frequency login attempts and unexpected connections from unrecognized IP addresses. Monitor for unauthorized session creation that deviates from established user patterns.

Compensating Controls: Deploy Web Application Firewall (WAF) or equivalent gateway security policies to inspect and filter traffic for malicious cookie patterns associated with this bypass. Implement strict access control lists (ACLs) to limit exposure of the GlobalProtect interface to trusted source networks.

Public Exploit Available: True

Given the critical CVSS severity and the documented evidence of active exploitation, this vulnerability must be treated as a top-priority incident. Organizations must verify their current PAN-OS version and apply the vendor-supplied patches immediately. If immediate patching is not possible, the recommended functional workarounds must be implemented to prevent unauthorized access and potential lateral movement within the network.