CVE-2026-0257: PAN-OS GlobalProtect Bypass Actively Exploited

Palo Alto Networks has confirmed active exploitation of CVE-2026-0257, a medium-severity authentication bypass vulnerability (CVSS 7.8) affecting PAN-OS and Prisma Access GlobalProtect portal and gateway configurations. The flaw specifically impacts firewalls where authentication override cookies are enabled alongside a specific certificate configuration, allowing threat actors to bypass security restrictions and establish unauthorized VPN connections. Palo Alto Networks initially disclosed the vulnerability in an advisory dated May 13, 2026, but updated their guidance on May 29, 2026, confirming limited exploit attempts on unpatched devices without mitigations applied.

Cybersecurity firm Rapid7 identified successful exploitation across multiple customer environments, with the earliest compromise attempts dating back to May 17, 2026, followed by a second wave on May 21, 2026. Both campaigns are attributed to the same threat actor. Notably, the second exploitation wave involved VPN IP assignment following cookie authentication, effectively granting attackers direct access to internal networks. While no follow-on malicious activity has been observed in compromised VPN sessions, the implications remain severe given the enterprise VPN context. Organizations can assess their exposure by running a DNS leak test to identify potential VPN security issues.

As temporary mitigations, administrators should either disable the authentication override feature or generate a new certificate exclusively for the authentication override function. Organizations running affected Palo Alto Networks appliances are urged to apply vendor-supplied patches on an urgent basis. This exploitation follows a separate report from Arctic Wolf detailing how threat actors weaponized a critical FortiClient EMS vulnerability (CVE-2026-35616, CVSS 9.1) to deploy the EKZ Infostealer malware. Organizations should also verify their network perimeter security using tools like port scanner to ensure no unintended VPN access points are exposed. Regular privacy checkups are recommended to maintain overall security hygiene in the face of evolving threats.