"Palo Alto Networks is actively monitoring limited exploitation attempts targeting CVE-2026-0257 on unpatched PAN-OS devices where mitigations have not been applied," a company spokesperson said.
CVE-2026-0257: a vulnerability re-rated after exploitation
Palo Alto Networks first disclosed CVE-2026-0257 on May 13 and initially assigned the defect a medium-severity rating. That assessment changed rapidly after security researcher Rapid7 observed and confirmed active exploitation in the wild. Following Rapid7’s findings, the vendor reassessed the flaw as critical. The Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its known exploited vulnerabilities catalog on Friday, underscoring the accelerated threat.
How the bypass works and which configurations are at risk
The defect permits remote attackers to bypass security restrictions and establish a VPN connection to an affected firewall. Jake Knott, a security researcher at watchTowr, described the exploit as unusually simple: an attacker can “forge a valid authentication cookie using nothing more than the appliance’s publicly available TLS certificate. The entire exploit is a single HTTP request.”
Not every deployment is exploitable. The vulnerability specifically poses risk to Palo Alto Networks customers running GlobalProtect portal or gateway configured to enable authentication override cookies. Caitlin Condon, vice president of security research at VulnCheck, explained the technical precondition: “The cookie encryption and decryption certificate must be reused with another feature, which potentially exposes the public key for that certificate.” She noted the difficulty of estimating exposure but added that “Palo Alto Networks firewalls have a very large footprint, which means even uncommon configurations can present significant attack surface area.”
Observed exploitation and attacker behavior
Rapid7 first observed exploitation on May 17 in a customer environment and reported a second wave of activity on May 21. Douglas McKee, director of vulnerability intelligence at Rapid7, said investigators have “continued to see new victims roll in, including a couple of customers hit within just an hour of each other during a second wave of activity.”
Rapid7 assessed that the same attacker or group likely carried out both waves, but noted a characteristic pattern: in many cases attackers are not establishing a full VPN connection or moving to other parts of the impacted network. McKee described the actors as “highly opportunistic and clearly monitor the security research community,” adding that “Attackers are purposefully weaponizing medium-severity vulnerabilities, which are typically lower priority or blind spots for organizations.” He also said, “Their exact origins and long-term objectives remain unclear, as they currently seem focused purely on opportunistic initial access rather than targeted, long-term espionage.”
Palo Alto Networks’ response and recommended actions
Palo Alto Networks said it discovered the vulnerability internally through its use of frontier AI tools. After the reassessment, the company urged all customers to immediately apply the patch or follow its recommended steps for mitigation. Both the vendor and Rapid7 declined to disclose how many organizations have been impacted to date. The firm’s public statement reiterated active monitoring of “limited exploitation attempts” on unpatched devices where mitigations are not in place.
What this means for security teams, affected enterprises, and adversaries
- Security teams and technologists: Rapid7’s timeline—disclosure on May 13, observed exploitation on May 17, and a second wave on May 21—illustrates how quickly a vulnerability can escalate from medium to critical once weaponized. The immediate, specific action cited by the vendor is patching or applying the vendor’s mitigations.
- Affected enterprises and procurement leaders: Organizations running GlobalProtect portal or gateway with authentication override cookies and certificate reuse should treat their deployments as higher risk and prioritize patching. As Caitlin Condon highlighted, even uncommon configurations can matter because of the vendor’s large installed base.
- Adversaries and opportunistic actors: Rapid7’s account suggests attackers are monitoring public research and adapting quickly. Observed behavior so far emphasizes opportunistic initial access rather than extended intrusions, but the simplicity of the exploit—the ability to forge an authentication cookie with a public TLS certificate and send a single HTTP request—lowers the bar for rapid weaponization.
The sequence of events around CVE-2026-0257 — an initial medium rating, swift reclassification after observed exploitation, and public mitigation guidance — is a compact case study in how exposure, configuration quirks, and public research can combine to change a vulnerability’s urgency overnight. For now, the clear next step named by the vendor remains immediate patching or application of its mitigations; how many environments will be patched before further waves arrive is an open and consequential question.




