Skip to main content
Emerging ThreatsMalware & Ransomware

Hackers Exploit Palo Alto GlobalProtect VPN Auth Bypass Flaw in Attacks

Network security appliance on a rack in a brightly-lit data center.

CVE-2026-0257 is now a live threat: Palo Alto Networks and Rapid7 report that attackers are actively exploiting a PAN-OS GlobalProtect authentication bypass to try to establish unauthorized VPN connections into corporate networks.

CVE-2026-0257 and how PAN-OS validates authentication override cookies

Palo Alto’s advisory states the flaw allows an attacker to "bypass security restrictions and establish an unauthorized VPN connection" against GlobalProtect portal and gateway components in PAN-OS software. Rapid7’s analysis traces the bug to how PAN-OS processes authentication override cookies: the appliance decrypts such cookies using a configured private key and then trusts the decrypted contents without performing any signature verification. If the same certificate is reused for both HTTPS services and authentication override cookies, the corresponding public key can be obtained via an HTTPS session and then used to create forged cookies the device will accept as legitimate.

Rapid7’s findings: timeline, proofs-of-concept, and observed impacts

Rapid7 reported successful exploitation across numerous customers, with the company identifying the earliest observed exploitation on May 17, 2026. Rapid7 said it first observed exploitation on May 18 originating from infrastructure hosted by Vultr, followed by a second wave detected on May 21 originating from Dromatics Systems. The firm developed a proof-of-concept exploit that demonstrates how an attacker can retrieve public certificates exposed by a GlobalProtect portal or gateway, generate a forged authentication override cookie for an arbitrary user, and authenticate without knowing valid credentials; using that PoC, the researchers successfully authenticated to an unpatched GlobalProtect gateway.

In practice, Rapid7 found two outcomes in compromised devices: in some cases attackers were able to connect to the device via VPN using forged cookies and thereby gained access to internal networks; in many other incidents the appliance accepted the forged cookie but attackers were unable to establish a full VPN session. Rapid7 also reported that it "did not observe any indication of successful lateral movement from the devices."

Palo Alto advisory evolution and the move from Medium to High severity

Palo Alto Networks fixed CVE-2026-0257 earlier this month and initially rated the flaw Medium because exploitation requires devices to be configured with authentication override cookies enabled and a specific certificate configuration. On Friday the company updated its advisory to warn the flaw was being actively exploited on unpatched devices and raised the severity rating to High. "Palo Alto Networks has become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied," the update reads.

Mitigations, patches, and CISA’s Known Exploited Vulnerability action

Organizations using GlobalProtect devices are advised to install the latest security updates immediately to patch the flaw. Administrators can also mitigate risk by disabling the authentication override feature or by configuring a different certificate for that feature and not sharing it with other services on the device. Rapid7’s investigation found the impacted devices had authentication override cookies enabled and were configured in a way that allowed attackers to forge valid authentication cookies.

On May 29, 2026, the vulnerability was added to the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerability (KEV) catalog. CISA ordered federal agencies to mitigate the flaw by June 1, 2026.

What this means for technologists, affected enterprises, and federal agencies

  • Technologists and security teams: validate whether GlobalProtect authentication override cookies are enabled, ensure certificate usage does not expose the public key for cookie validation, and apply Palo Alto’s patches without delay.
  • Affected enterprises and network operators: inventory exposed GlobalProtect portals and gateways, monitor VPN access logs for unexpected authentications, and consider disabling authentication override until a different certificate configuration or the vendor patch is applied.
  • Federal agencies: comply with CISA’s KEV order to mitigate CVE-2026-0257 by the June 1, 2026 deadline and prioritize patching of unpatched PAN-OS devices identified in agency inventories.

The technical chain here is plain and practical: a validation shortcut in PAN-OS combined with shared certificate use exposes authentication override cookies to forgery. Palo Alto has issued a fix, Rapid7 has published a PoC and a timeline of observed exploitation, and CISA has added the CVE to its KEV catalog with an enforcement date for federal agencies. The immediate, concrete task for operators is straightforward — install the supplied updates or apply the documented mitigations — while the open question remains how many GlobalProtect gateways will remain reachable and unpatched as attackers probe the internet for vulnerable devices.

Original story