Blog Details

Palo Alto Networks is warning that hackers are now exploiting a PAN-OS GlobalProtect authentication bypass flaw, tracked as CVE-2026-0257, in attacks attempting to breach company networks.

The company fixed the CVE-2026-0257 flaw earlier this month, warning that it is going to be veteran to set unauthorized VPN connections on the instrument.

“GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection,” reads Palo Alto’s advisory.

The flaw received a Medium severity ranking because it requires devices to be configured with authentication override cookies enabled and a speak certificates configuration.

On the opposite hand, on Friday, Palo Alto Networks as much as this level the advisory to warn that the flaw became now being actively exploited in attacks against unpatched devices, elevating the severity ranking to High.

“Palo Alto Networks has become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied,” reads the update.

This update comes after Rapid7 warned that it had observed the flaw being exploited against reasonably a pair of customers starting up on Could furthermore 17.

“Rapid7 MDR identified successful exploitation across numerous customers, however we did not observe any indication of successful lateral movement from the devices. The earliest date for observed exploitation was May 17, 2026,” explains Rapid7.

“As of May 29, 2026,  this vulnerability has been added to the CISA KEV.”

In step with Rapid7, the attacks began with hackers authenticating to GlobalProtect gateways the expend of forged authentication override cookies that targeted the native administrator legend.

The company first observed exploitation on Could furthermore 18 from infrastructure hosted by Vultr, with a 2d wave of attacks detected on Could furthermore 21 originating from Dromatics Systems.

In some circumstances, attackers had been ready to place to the instrument by the usage of VPN the expend of forged cookies, granting them uncover entry to to interior networks. On the opposite hand, Rapid7 says that in many incidents, even supposing the equipment authorized the forged cookie, they had been unable to set a fleshy VPN session.

Rapid7’s investigation into affected possibilities found out that the impacted devices had GlobalProtect authentication override cookies enabled and had been configured in one blueprint that allowed attackers to forge official authentication cookies.

The researchers enlighten the flaw stems from PAN-OS’s validation of authentication override cookies.

A GlobalProtect VPN instrument decrypts these kinds of cookies the expend of a configured non-public key and then trusts the decrypted contents without performing any signature verification.

If the an identical certificates is reused for both HTTPS services and products and authentication override cookies, attackers can impact the corresponding public key by the usage of the HTTPS session and then expend it to make forged cookies that the instrument will settle for as official.

Rapid7 developed a proof-of-belief exploit that demonstrates how an attacker can retrieve the general public certificates uncovered by a GlobalProtect portal or gateway, generate a forged authentication override cookie for an arbitrary user, and authenticate without spirited official credentials. Using this PoC, the researchers efficiently authenticated to an unpatched GlobalProtect gateway.

Organizations the expend of GlobalProtect VPN devices ought to aloof straight set up the most as much as date security updates to patch the failings.

Admins can furthermore mitigate the flaw by turning off the authentication override characteristic or utilizing a various certificates for this characteristic and now not sharing it with diverse services and products on the instrument.

CISA has now added the flaw to its Identified Exploited Vulnerability catalog, ordering federal companies to mitigate the flaw by June 1, 2026.