Palo Alto Networks is warning that hackers are actually exploiting a PAN-OSÂ GlobalProtect authentication bypass flaw, tracked as CVE-2026-0257, in assaults trying to breach company networks.
The corporate mounted the CVE-2026-0257 flaw earlier this month, warning that it may very well be used to determine unauthorized VPN connections on the gadget.
“GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software program permits the attacker to bypass safety restrictions and set up an unauthorized VPN connection,” reads Palo Alto’s advisory.
The flaw obtained a Medium severity score as a result of it requires gadgets to be configured with authentication override cookies enabled and a particular certificates configuration.
Nevertheless, on Friday, Palo Alto Networks up to date the advisory to warn that the flaw was now being actively exploited in assaults in opposition to unpatched gadgets, elevating the severity score to Excessive.
“Palo Alto Networks has develop into conscious of restricted exploit makes an attempt on unpatched PAN-OS gadgets with out mitigations utilized,” reads the replace.
This replace comes after Rapid7 warned that it had noticed the flaw being exploited in opposition to quite a few prospects beginning on Might 17.
“Rapid7 MDR recognized profitable exploitation throughout quite a few prospects, nevertheless we didn’t observe any indication of profitable lateral motion from the gadgets. The earliest date for noticed exploitation was Might 17, 2026,” explains Rapid7.
“As of Might 29, 2026, this vulnerability has been added to the CISA KEV.”
In response to Rapid7, the assaults started with hackers authenticating to GlobalProtect gateways utilizing cast authentication override cookies that focused the native administrator account.
The corporate first noticed exploitation on Might 18 from infrastructure hosted by Vultr, with a second wave of assaults detected on Might 21 originating from Dromatics Programs.
In some instances, attackers had been in a position to hook up with the gadget by way of VPN utilizing cast cookies, granting them entry to inside networks. Nevertheless, Rapid7 says that in lots of incidents, despite the fact that the equipment accepted the solid cookie, they had been unable to determine a full VPN session.
Rapid7’s investigation into affected prospects discovered that the impacted gadgets had GlobalProtect authentication override cookies enabled and had been configured in a approach that allowed attackers to forge legitimate authentication cookies.
The researchers say the flaw stems from PAN-OS’s validation of authentication override cookies.
A GlobalProtect VPN gadget decrypts all these cookies utilizing a configured personal key after which trusts the decrypted contents with out performing any signature verification.
If the identical certificates is reused for each HTTPS companies and authentication override cookies, attackers can receive the corresponding public key by way of the HTTPS session after which use it to create cast cookies that the gadget will settle for as reputable.
Rapid7 developed a proof-of-concept exploit that demonstrates how an attacker can retrieve the general public certificates uncovered by a GlobalProtect portal or gateway, generate a cast authentication override cookie for an arbitrary consumer, and authenticate with out understanding legitimate credentials. Utilizing this PoC, the researchers efficiently authenticated to an unpatched GlobalProtect gateway.
Organizations utilizing GlobalProtect VPN gadgets ought to instantly set up the most recent safety updates to patch the issues.
Admins can even mitigate the flaw by turning off the authentication override function or using a special certificates for this function and never sharing it with different companies on the gadget.
CISA has now added the flaw to its Recognized Exploited Vulnerability catalog, ordering federal businesses to mitigate the flaw by June 1, 2026.
Automated pentesting instruments ship actual worth, however they had been constructed to reply one query: can an attacker transfer by way of the community? They weren’t constructed to check whether or not your controls block threats, your detection guidelines hearth, or your cloud configs maintain.
This information covers the 6 surfaces you truly must validate.
