Palo Alto Networks is warning that hackers at the moment are exploiting a PAN-OS GlobalProtect authentication bypass flaw, tracked as CVE-2026-0257, in assaults trying to breach company networks.
The corporate mounted the CVE-2026-0257 flaw earlier this month, warning that it could possibly be used to determine unauthorized VPN connections on the system.
“GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software program permits the attacker to bypass safety restrictions and set up an unauthorized VPN connection,” reads Palo Alto’s advisory.
The flaw obtained a Medium severity ranking as a result of it requires units to be configured with authentication override cookies enabled and a selected certificates configuration.
Nonetheless, on Friday, Palo Alto Networks up to date the advisory to warn that the flaw was now being actively exploited in assaults towards unpatched units, elevating the severity ranking to Excessive.
“Palo Alto Networks has turn out to be conscious of restricted exploit makes an attempt on unpatched PAN-OS units with out mitigations utilized,” reads the replace.
This replace comes after Rapid7 warned that it had noticed the flaw being exploited towards quite a few clients beginning on Might 17.
“Rapid7 MDR recognized profitable exploitation throughout quite a few clients, nonetheless we didn’t observe any indication of profitable lateral motion from the units. The earliest date for noticed exploitation was Might 17, 2026,” explains Rapid7.
“As of Might 29, 2026, this vulnerability has been added to the CISA KEV.”
In line with Rapid7, the assaults started with hackers authenticating to GlobalProtect gateways utilizing solid authentication override cookies that focused the native administrator account.
The corporate first noticed exploitation on Might 18 from infrastructure hosted by Vultr, with a second wave of assaults detected on Might 21 originating from Dromatics Techniques.
In some instances, attackers had been in a position to connect with the system by way of VPN utilizing solid cookies, granting them entry to inner networks. Nonetheless, Rapid7 says that in lots of incidents, regardless that the equipment accepted the solid cookie, they had been unable to determine a full VPN session.
Rapid7’s investigation into affected clients discovered that the impacted units had GlobalProtect authentication override cookies enabled and had been configured in a means that allowed attackers to forge legitimate authentication cookies.
The researchers say the flaw stems from PAN-OS’s validation of authentication override cookies.
A GlobalProtect VPN system decrypts a majority of these cookies utilizing a configured personal key after which trusts the decrypted contents with out performing any signature verification.
If the identical certificates is reused for each HTTPS providers and authentication override cookies, attackers can acquire the corresponding public key by way of the HTTPS session after which use it to create solid cookies that the system will settle for as legit.
Rapid7 developed a proof-of-concept exploit that demonstrates how an attacker can retrieve the general public certificates uncovered by a GlobalProtect portal or gateway, generate a solid authentication override cookie for an arbitrary person, and authenticate with out figuring out legitimate credentials. Utilizing this PoC, the researchers efficiently authenticated to an unpatched GlobalProtect gateway.
Organizations utilizing GlobalProtect VPN units ought to instantly set up the newest safety updates to patch the failings.
Admins may mitigate the flaw by turning off the authentication override function or using a special certificates for this function and never sharing it with different providers on the system.
CISA has now added the flaw to its Identified Exploited Vulnerability catalog, ordering federal companies to mitigate the flaw by June 1, 2026.
Automated pentesting instruments ship actual worth, however they had been constructed to reply one query: can an attacker transfer by means of the community? They weren’t constructed to check whether or not your controls block threats, your detection guidelines hearth, or your cloud configs maintain.
This information covers the 6 surfaces you really must validate.
