699eee792235758e12e070c1
PAN-OS GlobalProtect VPN authentication bypass flaw (CVE-2026-0257) now exploited in attacks
Palo Alto Networks warns that CVE-2026-0257, a GlobalProtect authentication bypass in PAN-OS, is being actively exploited against unpatched devices. Rapid7 observed exploit activity starting May 17, 2026, with initial attacks from Vultr and Dromatics Systems, and CISA added the flaw to the Known Exploited Vulnerabilities catalog on May 29, 2026 (mitigation required by June 1 for federal agencies). The flaw arises from how PAN-OS validates authentication override cookies, enabling forged cookies to bypass authentication; apply the latest patches or disable authentication override cookies / use separate certificates to mitigate.
PAN-OS GlobalProtect VPN Authentication Bypass Flaw: Active Exploitation and What It Means for Networks
OverviewA recently fixed vulnerability in Palo Alto Networks PAN-OS GlobalProtect, tracked as CVE-2026-0257, has moved from a disclosed weakness to active exploitation in the wild. The flaw enables an attacker to bypass authentication controls on GlobalProtect portal and gateway devices, potentially allowing unauthorized VPN access to internal networks. Initially rated Medium, the advisory was upgraded to High as active exploitation was observed against unpatched systems.
What changed and why it matters
- The vulnerability centers on how GlobalProtect handles authentication override cookies. When a device uses certain cookies to override authentication, it can be led to trust forged data.
- Attackers can decrypt and reinterpret authentication cookies using a certificate key configured on the device, enabling forged cookies that masquerade as legitimate credentials.
- The flaw becomes particularly dangerous when the same certificate is used across multiple services (HTTPS and authentication cookies), allowing adversaries to obtain the corresponding public key and craft convincing forged cookies.
- The situation escalated when security researchers and CERTs began reporting real-world exploitation against organizations lacking the latest patches, prompting a severity upgrade and emergency awareness.
Technical background and attack vector
- A GlobalProtect device decrypts authentication override cookies with a configured private key and then trusts the decrypted data without validating the signature, creating a validation gap.
- If the certificate used for HTTPS services is the same as that used for authentication override cookies, attackers can retrieve the public key via the HTTPS session and generate forged cookies for arbitrary users.
- Rapid7 independently developed a proof-of-concept (PoC) that demonstrates how an attacker can retrieve public certificates exposed by a GlobalProtect portal or gateway, forge a valid-looking authentication override cookie, and authenticate to an unpatched gateway without valid credentials.
- Exploitation patterns observed in the wild include attackers forging cookies to gain access to a device, sometimes granting entry to internal networks. In many cases, devices accepted the forged cookie but did not complete a full VPN session, indicating partial success and the potential for deeper intrusions in other environments.
Timeline of exploitation and key milestones
- May 17, 2026: Rapid7 MDR notes successful exploitation across multiple customers, though no evidence of lateral movement at this stage.
- May 18, 2026: Initial exploitation observed from infrastructure hosted on Vultr.
- May 21, 2026: A second wave of attacks traced to infrastructure operated by Dromatics Systems.
- May 29, 2026: The vulnerability is added to the U.S. Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalog.
- May 30, 2026: Public advisories confirm ongoing exploitation of unpatched PAN-OS devices and the associated risk posture.
Impact and observed effects
- Attackers targeting PAN-OS GlobalProtect gateways can authenticate to VPN endpoints using forged authentication override cookies, bypassing standard login controls.
- In some incidents, attackers were able to connect to devices via VPN using forged cookies, obtaining access to internal networks. In other cases, devices accepted the forged cookies but did not establish a full VPN session.
- Affected devices were those with GlobalProtect authentication override cookies enabled and configured in ways that permitted forging cookies. The root cause lies in the cookie validation process within PAN-OS.
Incident response context and current status
- Palo Alto Networks issued a patch addressing CVE-2026-0257 earlier in the month, signaling the availability of fixes to mitigate the flaw.
- After identifying active exploitation, the advisory was updated to reflect high-severity risk due to real-world attacks on unpatched devices.
- The U.S. government’s cybersecurity authority added the vulnerability to KEV, signaling federal-facing exposure and urging rapid remediation timelines.
What this means for organizations
- The vulnerability presents a clear validation gap in how authentication override cookies are processed within GlobalProtect gateways and portals.
- Attackers exploiting this flaw can gain unauthorized VPN access, potentially exposing internal systems and data.
- Patches and official advisories emphasize the urgency of remediation for organizations running PAN-OS GlobalProtect, especially for devices that were configured with authentication override cookies enabled.
Key facts to remember
- CVE-2026-0257 is a PAN-OS GlobalProtect authentication bypass vulnerability.
- Exploitation has been observed in the wild against unpatched devices starting mid-May 2026.
- The issue stems from how GlobalProtect validates authentication override cookies, including potential reuse of a certificate across services.
- Public PoC demonstrations show an attacker being able to forge authentication cookies to gain access without valid credentials.
- The vulnerability has been added to KEV, underscoring its severity and the need for timely remediation.
Context and related developments
- The vulnerability illustrates a broader category of authentication bypass issues that can arise when cookie-based overrides interact with certificate handling and TLS configurations.
- Industry responses highlight the importance of patching, reviewing cookie configurations, and ensuring that certificate usage is isolated to the intended services rather than shared across multiple functions on a single device.
References and additional context
- Advisory notices from PAN-OS outlining the vulnerability, its impact, and the affected components.
- Rapid7 research detailing exploitation activity, the PoC, and observed outcomes across affected customers.
- KEV listing by CISA documenting the vulnerability and its status within the Known Exploited Vulnerabilities catalog.
In summary, CVE-2026-0257 represents a significant risk to organizations relying on PAN-OS GlobalProtect for remote access. With active exploitation reported against unpatched devices and official keystone sources flagging high-severity exposure, the security community continues to monitor the situation as patches are applied and defenses are hardened.
