Skip to main content
Emerging Threats

Palo Alto Networks Warns of Active Exploitation of GlobalProtect Flaw

Network operations center with laptop, city view, and VPN diagram on whiteboard.

"Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allow the attacker to bypass security restrictions and establish an unauthorized VPN connection," Palo Alto Networks said in an advisory released on May 13, 2026.

CVE-2026-0257: the flaw and where it sits

Palo Alto Networks has classified the issue as CVE-2026-0257, assigning it a CVSS score of 7.8 and describing it as an authentication bypass that can be used to set up VPN connections. The company says the vulnerability affects PAN-OS and Prisma Access deployments where firewalls have a GlobalProtect portal or gateway configured, authentication override cookies are enabled, and "a specific certificate configuration" exists. In short, under those conditions an attacker can bypass the appliance's authentication checks and establish an unauthorized VPN session.

Observed exploitation: Rapid7 timeline and Palo Alto update

Public reporting and vendor updates place exploitation in the wild in mid‑ to late May 2026. Rapid7 disclosed that it "identified successful exploitation across numerous customers," with the earliest observed activity dated May 17, 2026 and a second wave beginning May 21. Rapid7 assessed both exploitation sets to be the work of the same threat actor. In its May 29 update Palo Alto Networks said it had "become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied."

Rapid7 further recorded that activity in the second wave included VPN IP assignment following the cookie authentication in two cases, "granting the attacker access to the internal network." Rapid7 also reported that there was "no follow-on activity in the customer environments where a VPN session was established" in the instances it examined.

Palo Alto Networks advisories and recommended mitigations

Palo Alto Networks first posted its advisory on May 13, 2026 and followed it with the May 29 update noting active attempts. The vendor and outside observers have urged operators to treat the issue urgently. As temporary mitigations, organizations are advised to either disable the authentication override feature or generate a new certificate to use exclusively for the authentication override feature. Rapid7 explicitly urged that "organizations running affected appliances are urged to upgrade to a vendor supplied patch on an urgent basis."

Related active campaigns: FortiClient EMS and EKZ Infostealer

The exploitation of CVE-2026-0257 arrives amid other active weaponization trends. Arctic Wolf recently reported ongoing exploitation of a separate critical flaw in FortiClient Endpoint Management Server (CVE-2026-35616, CVSS score 9.1) to deliver a credential‑stealing malware family called EKZ Infostealer. That campaign is distinct from the PAN-OS vulnerability but reinforces the broader pattern of enterprise remote‑access and endpoint management flaws being turned into initial access vectors.

How technologists and affected enterprises are likely to respond

  • Technologists and security teams: verify whether GlobalProtect portals or gateways have authentication override cookies enabled and whether the specific certificate configuration described by the vendor exists; apply vendor patches as released; implement the temporary mitigations (disable authentication override or provision a dedicated certificate) immediately where patching cannot be completed.
  • Affected enterprises and procurement leaders: prioritize installation of the vendor‑supplied patch for PAN-OS and Prisma Access; treat devices that remain unpatched and unmitigated as high risk given reported successful exploitation and VPN access observed by Rapid7.
  • Adversaries and threat actors (as observed): Rapid7's assessment that the same actor conducted multiple exploitation waves suggests focused, repeat attempts to weaponize the bypass; the activity that resulted in VPN IP assignment in two cases shows the tangible potential payoff for attackers who succeed.

The record in mid‑ to late‑May 2026 shows a medium‑severity authentication bypass moving quickly from disclosure to exploitation. Palo Alto Networks' advisories and Rapid7's field observations converge on the same practical point: where authentication override cookies and the cited certificate configuration exist, unpatched devices have already been targeted and remediation should be treated as urgent. The short-term fixes are explicit; the unresolved question is how rapidly organizations will apply them across exposed gateways and portals.

https://thehackernews.com/2026/05/pan-os-globalprotect-authentication.html