Palo Alto Networks is warning that hackers are actually exploiting a PAN-OS GlobalProtect authentication bypass flaw, tracked as CVE-2026-0257, in assaults making an attempt to breach company networks.
The corporate fastened the CVE-2026-0257 flaw earlier this month, warning that it might be used to determine unauthorized VPN connections on the machine.
“GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software program permits the attacker to bypass safety restrictions and set up an unauthorized VPN connection,” reads Palo Alto’s advisory.
The flaw acquired a Medium severity score as a result of it requires units to be configured with authentication override cookies enabled and a selected certificates configuration.
Nevertheless, on Friday, Palo Alto Networks up to date the advisory to warn that the flaw was now being actively exploited in assaults in opposition to unpatched units, elevating the severity score to Excessive.
“Palo Alto Networks has grow to be conscious of restricted exploit makes an attempt on unpatched PAN-OS units with out mitigations utilized,” reads the replace.
This replace comes after Rapid7 warned that it had noticed the flaw being exploited in opposition to quite a few clients beginning on Could 17.
“Rapid7 MDR recognized profitable exploitation throughout quite a few clients, nonetheless we didn’t observe any indication of profitable lateral motion from the units. The earliest date for noticed exploitation was Could 17, 2026,” explains Rapid7.
“As of Could 29, 2026, this vulnerability has been added to the CISA KEV.”
In response to Rapid7, the assaults started with hackers authenticating to GlobalProtect gateways utilizing solid authentication override cookies that focused the native administrator account.
The corporate first noticed exploitation on Could 18 from infrastructure hosted by Vultr, with a second wave of assaults detected on Could 21 originating from Dromatics Programs.
In some circumstances, attackers had been ready to hook up with the machine by way of VPN utilizing solid cookies, granting them entry to inner networks. Nevertheless, Rapid7 says that in lots of incidents, although the equipment accepted the solid cookie, they had been unable to determine a full VPN session.
Rapid7’s investigation into affected clients discovered that the impacted units had GlobalProtect authentication override cookies enabled and had been configured in a manner that allowed attackers to forge legitimate authentication cookies.
The researchers say the flaw stems from PAN-OS’s validation of authentication override cookies.
A GlobalProtect VPN machine decrypts these kind of cookies utilizing a configured non-public key after which trusts the decrypted contents with out performing any signature verification.
If the identical certificates is reused for each HTTPS providers and authentication override cookies, attackers can get hold of the corresponding public key by way of the HTTPS session after which use it to create solid cookies that the machine will settle for as legit.
Rapid7 developed a proof-of-concept exploit that demonstrates how an attacker can retrieve the general public certificates uncovered by a GlobalProtect portal or gateway, generate a solid authentication override cookie for an arbitrary consumer, and authenticate with out figuring out legitimate credentials. Utilizing this PoC, the researchers efficiently authenticated to an unpatched GlobalProtect gateway.
Organizations utilizing GlobalProtect VPN units ought to instantly set up the newest safety updates to patch the issues.
Admins may also mitigate the flaw by turning off the authentication override characteristic or using a distinct certificates for this characteristic and never sharing it with different providers on the machine.
CISA has now added the flaw to its Recognized Exploited Vulnerability catalog, ordering federal businesses to mitigate the flaw by June 1, 2026.
Automated pentesting instruments ship actual worth, however they had been constructed to reply one query: can an attacker transfer by way of the community? They weren’t constructed to check whether or not your controls block threats, your detection guidelines hearth, or your cloud configs maintain.
This information covers the 6 surfaces you really have to validate.
