"We have become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied," Palo Alto Networks warned on Friday, a concise alert that changed the urgency around a recently patched vulnerability.
CVE-2026-0257 and PAN-OS GlobalProtect
CVE-2026-0257 is an authentication bypass vulnerability in the GlobalProtect portal and gateway component of Palo Alto Networks’ PAN-OS software. The flaw could allow an attacker to bypass security restrictions and establish an unauthorized VPN connection. The vulnerability carries a CVSS score of 7.8. Palo Alto published a software update on May 13 to address the issue; the vendor initially rated the flaw as medium severity because it only affected firewalls when the GlobalProtect portal or gateway was configured with authentication override cookies enabled and a specific certificate configuration existed.
Exploitation observed by Rapid7: two waves starting May 18 and 21
Researchers at Rapid7 reported active exploitation in multiple, discrete attempts. Rapid7 urged organizations to treat the vulnerability as “critical,” saying exploitation occurred in two waves, likely by the same actor, beginning on May 18 and May 21. In its analysis, Rapid7 said: “Rapid7 observed VPN IP assignment following the cookie authentication, granting them access to the internal network. At this time, Rapid7 is unable to confirm why VPN assignment occurred only for a subset of exploited customers.”
Rapid7 also reported patterns of successful exploitation using forged cookies. As it summarized: “Across multiple customers, Rapid7 observed successful exploitation via authentication probes using forged cookies, but the appliance accepted the cookie without a full VPN session being established in 8 out of 10 impacted MDR customers.” Those technical observations were central to the decision to elevate the vulnerability’s severity from medium to high after multiple exploitation attempts in recent days.
Palo Alto’s mitigations and the immediate ask to customers
GlobalProtect VPN users were urged to patch immediately following both the May 13 update and subsequent reports of active exploitation. For customers unable to apply the update promptly, Palo Alto Networks published two mitigation options:
- Disable authentication override in the GlobalProtect portal and gateway configuration.
- Generate a new certificate exclusively for authentication override cookies; store it securely, and do not reuse or share it with other users.
Those mitigations are specific to the configuration conditions that the vendor identified as necessary for exploitation—authentication override cookies and a particular certificate setup—and are the vendor-provided alternatives to immediate patching.
CISA KEV listing and the federal patch deadline
The U.S. Cybersecurity and Infrastructure Security Agency has added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) Catalog. That addition carries an operational consequence: federal civilian agencies are required to patch the vulnerability by June 1. The KEV listing signals regulators’ view of the risk in environments subject to federal cybersecurity requirements and sets a binding remediation timeline for affected civilian agencies.
What this means for GlobalProtect users, federal agencies, and security teams
- GlobalProtect users: You are urged to apply the May 13 PAN-OS update immediately. If patching is not possible, implement one of Palo Alto’s mitigations—disable authentication override or generate an exclusive certificate for override cookies.
- Federal civilian agencies: CVE-2026-0257 is on CISA’s KEV list with a June 1 remediation requirement; agencies must follow the KEV-mandated timeline to meet federal compliance obligations.
- Security operations and enterprise IT teams: Monitor for the exploitation patterns Rapid7 reported—authentication probes using forged cookies and unexpected VPN IP assignment following cookie authentication—and prioritize remediation for devices with authentication override cookies enabled and the implicated certificate configuration.
The sequence is clear: a patch was published on May 13, exploitation activity was observed beginning May 18 and 21, and both vendor guidance and federal action followed. What remains unresolved in the public record is a technical detail Rapid7 flagged: why VPN assignment after cookie-based authentication occurred only for a subset of exploited customers. That discrepancy matters because it affects detection and response priorities—until that behavior is explained, organizations must assume the risk could materialize unpredictably and act accordingly.




