GlobalProtect auth bypass — your 60-minute patch checklist

Originally posted on LinkedIn — Engineer Series · 2026-06-16

CVE-2026-0257. CVSS 9.1. CISA KEV listed. Actively exploited right now.

If you’re running GlobalProtect — this is not a “patch it eventually” situation.

Here’s your 60-minute checklist.

First 15 minutes — Confirm your exposure
→ Check PAN-OS version: is it in the affected range?
Affected: PAN-OS 11.2 < 11.2.4-h4, 11.1 < 11.1.6-h1, 10.2 < 10.2.13-h3
→ Check if GlobalProtect gateway or portal is enabled
→ Pull the list of who is currently connected via GlobalProtect

If you’re on an affected version with GP enabled — you’re exposed. Move to step 2.

Next 15 minutes — Temporary mitigations while you prep the patch
→ Option 1: Temporarily disable GlobalProtect if it’s not business-critical right now → Option 2: Restrict GP access to known-good source IPs at the perimeter
→ Document exactly what you did and when — your CISO will need this

Next 20 minutes — Patch preparation
→ Download the fixed PAN-OS version from the Palo Alto support portal
→ Check your HA setup — is this active/passive or active/active?
→ Schedule the maintenance window (even a 30-min window tonight beats waiting)
→ Notify your change management process — CISA KEV = emergency exception applies

Last 10 minutes — Verify and notify
→ After patch: confirm PAN-OS version matches the fixed release
→ Test GlobalProtect connectivity from one client
→ Check system logs for any pre-patch exploitation indicators
→ Send a two-line update to your CISO: version we were on, version we’re on now, done

The CVE: attackers can bypass GlobalProtect authentication without credentials. Once in, they can access internal resources as if they’re a legitimate VPN user.

CISA added it to KEV because it’s being actively used. Not theoretical. Not a lab finding.

Patch timeline: yesterday. If not yesterday — tonight.

Questions about the patch process? Drop them below.