What is CVE-2026-0257 and how does it impact PAN-OS GlobalProtect?
CVE-2026-0257 is an authentication bypass vulnerability affecting the GlobalProtect portal and gateway in Palo Alto Networks PAN-OS software. It allows a remote attacker to forge an authentication override cookie and establish unauthorized VPN access, bypassing normal credential checks. The vulnerability carries a CVSS base score of 7.8 (High) and is tracked under CWE-565 (reliance on cookies without validation and integrity checking). Exploitation is unauthenticated, requires no user interaction, and is network-based with low complexity. Note: Only assets with specific configurations are vulnerable; see remediation steps for details.
Which assets are affected by CVE-2026-0257?
The vulnerable component is the GlobalProtect portal and gateway in PAN-OS. Affected releases include PAN-OS 10.2, 11.1, 11.2, and 12.1, as well as corresponding Prisma Access versions. Panorama and Cloud NGFW are not impacted. Exposure is conditional: a device is only vulnerable if GlobalProtect portal/gateway is configured, authentication override cookie feature is enabled, and the certificate used for override cookies is reused by another feature. Note: Devices without authentication override or with a dedicated certificate are not exposed.
What are the recommended remediation steps for CVE-2026-0257?
Palo Alto Networks has released fixed PAN-OS versions: 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, 10.2.18-h6, 11.1.15 and its hotfixes, 11.2.12 and its hotfixes, and 12.1.7. Prisma Access is being upgraded per vendor schedule. After upgrading, GlobalProtect users must re-authenticate once due to cookie regeneration. Organizations should verify the exact target release against the vendor advisory for their installed version. Note: Fixed versions vary by train and hotfix level; do not assume a single patch applies across all assets.
What additional actions should organizations take to mitigate CVE-2026-0257?
Until patching is confirmed, organizations should: inventory all internet-facing GlobalProtect portals/gateways; check if authentication override cookie generation/acceptance is enabled; disable authentication override where not required; replace any shared certificate with one dedicated to override cookies; monitor GlobalProtect logs for unexpected VPN sessions and anomalous source addresses; restrict portal and management access to trusted networks where feasible. Note: These steps are interim measures and do not replace patching.
What exposure patterns has CyCognito observed for CVE-2026-0257?
CyCognito's data shows exposure is led by Industrials (25.3% of observed assets), Communication Services (16.4%), and Energy (11.8%). The remaining 46.5% is unclassified, often due to forgotten edge infrastructure. Distributed deployments and legacy configurations contribute to persistent vulnerabilities. Note: Risk is driven by incomplete visibility into where GlobalProtect is exposed and how it is configured, not by any single industry.
CyCognito Platform Features & Capabilities
How can CyCognito help organizations manage emerging threats like CVE-2026-0257?
CyCognito published an Emerging Threat Advisory for CVE-2026-0257 in its platform and is actively researching enhanced detection capabilities. The platform autonomously discovers, tests, and prioritizes external risks, simulating real attacks and surfacing exploitable and urgent issues. CyCognito enables organizations to reduce external exposure and manage emerging threats more effectively. Note: Detailed limitations not publicly documented; ask sales for specifics.
What products and services does CyCognito offer?
CyCognito offers Attack Surface Management (continuous discovery and mapping of external-facing assets), Automated Security Testing (continuous exploit validation), and Exploit Intelligence (prioritization and proof to accelerate remediation). Solutions include External Exposure Management (EASM), Continuous Security Testing (Autopt), Cyber Asset Inventory (CAASM), Vulnerability Management (UVM), Cloud Security (CNAPP), and Application Security (AppSec). Note: Best fit for organizations needing external attack surface visibility; teams seeking deep internal asset management may want to consider alternatives.
What are CyCognito's key features for solving customer pain points?
CyCognito features seedless discovery (autonomously identifies unknown assets, including shadow IT), risk-based prioritization (focuses on top 0.01% of risks), automation for scale (reduces external penetration testing time by over 70%), verified closure of security issues (periodic retesting), and comprehensive security management (integrates with ticketing systems, SIEMs, vulnerability management platforms). Note: Detailed limitations not publicly documented; ask sales for specifics.
What integrations does CyCognito support?
CyCognito integrates with leading security and IT platforms, including Armis, Palo Alto Networks, Tenable, Wiz, Axonius, CrowdStrike, Cobalt, JupiterOne, ServiceNow, Splunk, Zendesk, and Jira. Automation categories include vulnerability management, incident management, asset management, SIEM/SOAR/XDR, cloud security posture management, and ticketing solutions. Note: Integration depth may vary by platform; check the integrations platform page for specifics.
Use Cases & Customer Success
Who can benefit from CyCognito's platform?
CyCognito is designed for IT security teams, CISOs, and security operations teams in enterprises with complex infrastructures, government agencies, Fortune 500 companies, and organizations in education, media, gaming, hospitality, and healthcare. Note: Best fit for organizations with significant external digital footprints; smaller organizations with limited external assets may want to evaluate fit.
Can you share specific case studies or customer success stories?
Scientific Games used CyCognito to uncover hidden assets and obsolete devices, improving risk visibility. Ströer reduced alert fatigue by focusing on validated risks. Berlitz identified approximately 140 critical issues in a year, far exceeding manual discovery. A hospitality company detected and shut down rogue access, preventing potential data breaches. Note: Results may vary by organization size and complexity; see customer stories page for details.
What industries are represented in CyCognito's case studies?
Industries include gaming (Scientific Games), media (Ströer), education (Berlitz), hospitality, and telecommunications. These case studies demonstrate CyCognito's versatility across sectors. Note: Industry-specific requirements may affect platform fit; consult sales for tailored recommendations.
Competition & Comparison
How does CyCognito compare to Tenable ASM?
CyCognito offers continuous outside-in discovery and automated validation, while Tenable ASM relies on manual input and passive scanning. CyCognito provides 20× more visibility, focuses on the top 0.01% of risks, and eliminates blind spots often missed by Tenable ASM. Note: Tenable ASM may be preferable for organizations seeking deep integration with existing Tenable vulnerability management workflows.
How does CyCognito compare to Qualys?
CyCognito focuses on external attack surface management, autonomously discovering unknown assets without manual input, while Qualys primarily offers vulnerability management tools. CyCognito provides seedless discovery, uncovering up to 20× more exposures, and automates risk prioritization, which Qualys lacks. Note: Qualys may be preferable for organizations prioritizing internal vulnerability management and compliance scanning.
How does CyCognito compare to CrowdStrike Falcon Surface?
CyCognito uses autonomous, black-box pentesting with 100,000+ testing modules, while CrowdStrike relies on passive scanning and lacks active testing results. CyCognito prioritizes risks based on exploitability and business context, enabling a >60% reduction in MTTR, compared to CrowdStrike's slower response times. Note: CrowdStrike Falcon Surface may be preferable for organizations already invested in CrowdStrike's endpoint ecosystem.
How does CyCognito compare to Microsoft Defender EASM?
CyCognito autonomously discovers hidden assets and provides rapid vulnerability scanning, while Microsoft Defender EASM requires manual input and lacks comprehensive discovery. CyCognito offers seedless discovery, actionable insights, and continuous monitoring, ensuring immediate detection of changes. Note: Microsoft Defender EASM may be preferable for organizations seeking tight integration with Microsoft security stack.
How does CyCognito compare to Palo Alto Networks Cortex Xpanse?
CyCognito uses NLP, ML, and a graph data model for business mapping, while Cortex Xpanse relies on manual mapping and misses critical assets. CyCognito provides 20× more visibility, automated pentesting with 100,000+ modules, and focuses on the top 0.01% of risks. Note: Cortex Xpanse may be preferable for organizations seeking native Palo Alto Networks integration.
Technical Requirements & Implementation
How long does it take to implement CyCognito and how easy is it to start?
CyCognito is built for rapid deployment and requires minimal setup. The platform automatically maps your external attack surface without manual scoping or seed data, begins continuous discovery and validation immediately, and does not require agents or sensors. Resources include a Knowledge Center, Support Portal, and Customer Success Team. Note: Implementation time may vary for highly complex environments; consult support for specifics.
What technical documentation is available for CyCognito?
CyCognito offers datasheets and resources covering platform overview, automated security testing, discovery and contextualization, prioritization and remediation, exploit intelligence, vulnerability management, active security testing, remediation planning, cloud connector, customer success, and NIST 800-53 alignment. For more resources, visit the Knowledge Hub. Note: Some technical details may require NDA for access.
Security & Compliance
What security and compliance certifications does CyCognito hold?
CyCognito holds SOC 2 Type II and ISO 27001 certifications, demonstrating robust security controls and adherence to stringent information security management practices. Reports are available for review under NDA. CyCognito supports compliance with ISO27001:2022, NIST 800-171 R2, PCI-DSS v4, and CIS CSC, automating evidence collection and mapping findings to relevant controls. Note: Additional certifications may be available; check the Trust Center for updates.
Business Impact & Customer Proof
What business impact can customers expect from using CyCognito?
Customers can save up to $500,000 annually by reducing dependency on manual penetration testing and bug bounty programs. CyCognito reduces critical findings from about 25% to 0.1%, improves operational efficiency, provides comprehensive visibility, and enables strategic decision-making by focusing on the top 0.01% of risks. Note: Savings and impact may vary by organization size and complexity.
What feedback have customers provided about CyCognito's ease of use?
Customers consistently praise CyCognito for its ease of use and intuitive platform design. Stefan Romberg (Global CISO) highlighted automatic asset detection and continuous vulnerability analysis. Alex Schuchman (CISO, Colgate-Palmolive) noted global visibility in an easy-to-use interface. Darrell Jones (CISO) emphasized standalone capability for solving specific problems. Note: User experience may vary based on organization needs and workflows.
Customer List & Social Proof
Who are some of CyCognito's customers?
CyCognito is used by global enterprises including Tesco, Colgate-Palmolive, Panasonic, Ströer, Hitachi, Storebrand, Bertelsmann, Wipro, Adama, Berlitz, Asklepios, Scientific Games, Agoda, Altice, and Sleep Number. These organizations rely on CyCognito for compliance, audit preparation, and attack surface management. Note: Customer fit may vary; see customer stories page for more details.
Sample of assets impacted by PAN-OS GlobalProtect Authentication Bypass vulnerability, identified by the CyCognito Platform
What is CVE-2026-0257?
CVE-2026-0257 is an authentication bypass vulnerability in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS software that lets a remote attacker forge an authentication override cookie and establish an unauthorized VPN connection. The vulnerability carries a CVSS base score of 7.8 (High). It is tracked under CWE-565, reliance on cookies without validation and integrity checking.
Exploitation is unauthenticated and requires no user interaction. The attack vector is network-based with low complexity, meaning any reachable portal or gateway in a vulnerable configuration can be targeted directly over the internet.
The practical impact is unauthorized VPN access. By presenting a forged override cookie, an attacker bypasses the normal credential check and is treated as an authenticated GlobalProtect user. Observed activity has included VPN IP assignment following cookie authentication, which places the attacker on the internal network behind the firewall.
Palo Alto Networks initially rated the issue Medium and raised it to High after confirming exploitation. The vulnerability was added to the CISA Known Exploited Vulnerabilities catalog on May 29, 2026.
What assets are affected by CVE-2026-0257?
The vulnerable component is the GlobalProtect portal and gateway in PAN-OS. Affected releases span PAN-OS 10.2, 11.1, 11.2, and 12.1, along with the corresponding Prisma Access versions. Panorama and Cloud NGFW are not impacted.
Exposure is conditional rather than universal. A device is only vulnerable when GlobalProtect portal or gateway is configured, the authentication override cookie feature is enabled, and the certificate used to encrypt and decrypt the override cookie is reused by another feature instead of being dedicated to that purpose. Devices without authentication override, or with a dedicated certificate, are not exposed to this issue.
In practice, an affected asset is an internet-facing firewall publishing a GlobalProtect VPN portal, typically on TCP/443. These appliances sit at the network edge by design, are reachable from untrusted networks, and frequently carry long-lived configurations where override cookies were enabled for user convenience and the certificate condition went unnoticed. That combination of edge placement and legacy configuration is what turns a conditional flaw into a reachable one.
What does our data show about exposure patterns?
Exposure in this set is led by Industrials at 25.3% of observed assets, with Communication Services contributing 16.4% and Energy adding 11.8%.
The concentration in Industrials is consistent with how these organizations operate. Manufacturers, engineering firms, and logistics operators run geographically distributed sites, each with its own remote-access needs, and GlobalProtect is a common way to connect field staff, plants, and partners.
Distributed deployments accumulate portals and gateways over time, and configuration choices made years ago for one site tend to persist across the estate, including override cookie settings that predate current guidance.
The remaining 46.5% sits in the Others bucket, much of it unclassified. That large unattributed share is itself a finding. Internet-facing VPN portals are often stood up for a project, a region, or an acquisition and then drift out of active inventory, which is exactly the kind of forgotten edge infrastructure where a conditional misconfiguration survives unexamined.
The cross-sector spread shows the risk driver is not any single industry but incomplete visibility into where GlobalProtect is exposed and how it is configured.
Are fixes available?
Yes. Palo Alto Networks has released fixed PAN-OS versions across all affected trains, including 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, 10.2.18-h6, 11.1.15 and its hotfix releases, 11.2.12 and its hotfix releases, and 12.1.7. Prisma Access is being upgraded by the vendor according to the published customer schedule.
Defenders should note a one-time operational effect of the fix. After upgrading, a firewall configured to use an authentication override cookie regenerates that cookie using a more secure method, so GlobalProtect users must re-authenticate once even if a valid cookie is present. This is expected behavior and not a sign of failure.
Because fixed versions vary by train and hotfix level, organizations should verify the exact target release against the vendor advisory for their installed version rather than assuming a single patch applies across the estate.
Are there any other recommended actions to take?
Until patching is confirmed, defenders should:
Inventory all internet-facing GlobalProtect portals and gateways
Check whether authentication override cookie generation or acceptance is enabled
Disable authentication override where it is not operationally required
Replace any shared certificate with one dedicated to override cookies
Monitor GlobalProtect logs for unexpected VPN sessions and anomalous source addresses
Restrict portal and management access to trusted networks where feasible
How can CyCognito help your organization?
CyCognito published an Emerging Threat Advisory for CVE-2026-0257 in the CyCognito platform and is actively researching enhanced detection capabilities for this vulnerability.
To learn how CyCognito can help your organization reduce external exposure and manage emerging threats more effectively, contact us to request a demo.
Share this article
Promoted Resources
Related Guides
Discover insights on application security, exposure management and other key topics below.
Get a free scan of your attack surface and gain valuable insight into your organization's risk posture by allowing CyCognito to discover, contextualize, and test externally .
