Hackers are exploiting Palo Alto GlobalProtect VPN authentication bypass (CVE-2026-0257)

Authentication bypass vulnerabilities (CVE-2026-0257) in Palo Alto Networks’ firewalls that the company disclosed on May 13 have been targeted in “limited exploit attempts”.

“Across multiple customers, Rapid7 observed successful exploitation via authentication probes using forged cookies, but the appliance accepted the cookie without a full VPN session being established in 8 out of 10 impacted [Managed Detection Response] customers.”

The good news, though, is that the company hasn’t observed any indication of successful lateral movement from the devices.

About CVE-2026-0257

CVE-2026-0257 stems from the firewalls relying on cookies, but not performing detailed validation and integrity checking. This allows remote, unauthenticated attackers to bypass security restrictions and establish an unauthorized VPN connection.

The vulnerabilities affect the GlobalProtect portal and gateway of PAN’s physical and virtual firewalls running PAN-OS software, as well as Prisma Access.

GlobalProtect is Palo Alto Networks’ remote access VPN solution, built into PAN-OS and the client-side component of Prisma Access, which is essentially PAN-OS firewall capabilities delivered as-a-service from the cloud.

“This issue affects firewalls with GlobalProtect portal or gateway configured when authentication override cookies are enabled and a specific certificate configuration exists,” the company said in the security advisory.

The authentication override feature issues cookies to authenticated users so they don’t have to re-enter credentials on every connection. But sometimes the certificate used to encrypt/decrypt these cookies is the same certificate used for the portal/gateway’s HTTPS service, according to Rapid7.

If that specific certificate configuration is present, an attacker can obtain the public key simply by connecting to the HTTPS service, and use it to forge a valid authentication override cookie (because the server decrypts and trusts the cookie content with no signature verification).

The attacks

Rapid7’s analysts observed an initial wave of exploitation on May 17, 2026, then a second one on May 21.

“Due to the consistent [spoofed] MAC address [observed in both waves], Rapid7 believes both waves of exploitation are likely from the same threat actor (TA),” the company noted.

The researchers released indicators of compromise and a proof-of-concept script defenders can used to check whether an appliance is vulnerable to CVE-2026-0257.

Palo Alto customers who have failed to upgrade to a fixed version should do it immediately. Alternatively, to mitigate the risk of compromise they should disable the authentication override feature, or generate a new certificate that will be used for it exclusively.

CISA has added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog and has ordered US federal civilian agencies to address it on their systems by today (June 1, 2026).

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!