Likelihood: MODERATE
Impact: HIGH
Treatment: MITIGATE
Confidence: Moderate
Likelihood is moderate: the vulnerability is CISA KEV-listed confirming active exploitation exists in the wild, but it requires a specific non-default authentication override cookie configuration, limiting the exposed population to organizations with that setting enabled; impact is high because a successful bypass grants unauthenticated remote access equivalent to a credentialed employee, enabling lateral movement, data exfiltration, and operational disruption across internal networks without any credential theft prerequisite.
Treatment rationale: GlobalProtect represents a primary perimeter control and the vulnerability is actively exploited per CISA KEV, making risk acceptance or transfer insufficient as standalone responses; immediate patching, configuration remediation of the non-default cookie setting, and compensating controls (e.g., MFA enforcement, gateway session monitoring) are required to reduce likelihood to acceptable levels.
Third-Party / Supply-Chain Risk
Organizations using Prisma Access (Palo Alto-managed cloud-delivered SASE) are exposed through a shared-platform dependency — the vulnerability affects Prisma Access 10.2 and 11.2, meaning the attack surface is partially owned and patched by the vendor rather than the customer; organizations should confirm patch status directly with Palo Alto Networks for Prisma Access tenants and validate their authentication override cookie configuration through the vendor support portal. NIST SP 800-161 C-SCRM consideration: the remediation timeline and patch deployment control for Prisma Access instances lies with the vendor, not the consuming organization.
Loss Exposure (illustrative)
Magnitude: High — illustrative $500K–$5M range for an enterprise organization where exploitation results in confirmed unauthorized access, lateral movement, and a contained data exposure event; upper range reflects regulatory costs, incident response, and reputational consequences in a regulated-industry scenario
Frequency: For an organization that has confirmed the non-default authentication override cookie configuration is enabled and has not yet patched, illustrative frequency is moderate — perhaps 1 in 5 to 1 in 3 chance of a targeted exploitation attempt within a 12-month window given active exploitation in the wild and the wide enterprise VPN footprint of GlobalProtect deployments
Annualized: Illustrative ALE approximation: ~$100K–$1.5M annualized for an exposed enterprise, reflecting moderate frequency against a high-consequence loss range; this compresses substantially post-patch or post-configuration remediation
Basis: Loss magnitude driven by: unauthorized remote access to internal network as entry point for lateral movement and exfiltration (incident response, forensics, potential regulatory notification costs); frequency driven by: confirmed active exploitation (KEV-listed), large installed base of GlobalProtect across enterprise environments increasing targeting probability, offset by the non-default configuration requirement that limits the actually-vulnerable population; annualized estimate reflects frequency-magnitude product with significant uncertainty given unknown proportion of the installed base with the non-default setting enabled
Illustrative estimate — not actuarially derived.
Insurance / Contractual / Legal — Potential Obligations
Potential triggers, not legal determinations. Verify with counsel/broker before acting.
• If exploitation results in unauthorized access to internal systems containing PII or PHI, state and federal breach-notification obligations may be triggered — verify with counsel and privacy officer.
• Active exploitation status and CISA KEV listing may constitute a 'known vulnerability' or 'failure to patch' condition under cyber insurance policy terms, potentially affecting coverage for a resulting incident — verify with broker before assuming coverage applies.
• Organizations in regulated sectors (financial services, healthcare, critical infrastructure) may face regulatory reporting obligations if unauthorized VPN access is confirmed — verify applicable timelines and thresholds with counsel.
• Managed service providers or organizations with third-party access agreements using GlobalProtect as the access mechanism should review contractual security baseline commitments that may be implicated by an exposed non-default configuration — verify with counsel.
