Palo Alto GlobalProtect CVE-2026-0257: Active Exploitation and Urgent Steps for Defenders

Cartoon illustration of VPN gateway bypass with hacker holding a forged cookie approaching a cracked shield gateway

Palo Alto Networks has warned that a recently patched authentication bypass in PAN-OS GlobalProtect, tracked as CVE-2026-0257, is now being actively exploited in the wild. The vulnerability allows attackers to bypass authentication controls and establish unauthorized VPN connections when devices are configured with specific authentication override cookie and certificate settings. Organizations running GlobalProtect should treat this as urgent: apply vendor patches, review configurations, and hunt for signs of exploitation immediately.

What the vulnerability is and why it matters

CVE-2026-0257 is an authentication bypass in the GlobalProtect portal and gateway of PAN-OS that can let an attacker establish an unauthorized VPN connection. Initially rated Medium because exploitation depends on specific configurations—authentication override cookies being enabled and particular certificate usage—the advisory was updated to High after evidence of active exploitation surfaced. An attacker who successfully abuses this flaw can gain an entry point into an internal network, which elevates the overall risk beyond a simple device compromise.

How attackers are exploiting the flaw

Security researchers at Rapid7 observed attackers using forged authentication override cookies targeting local administrator accounts to authenticate to GlobalProtect gateways. Rapid7 developed a proof-of-concept showing that an attacker can:

Retrieve public certificates exposed by a GlobalProtect portal or gateway,
Use those certificates to generate a forged authentication override cookie for an arbitrary user, and
Authenticate without needing valid credentials.

In practice, Rapid7 reported mixed success: some incidents allowed attackers to connect via VPN and reach internal networks, while in many cases the appliance accepted the forged cookie but a full VPN session could not be established. Nonetheless, the ability to authenticate at all is sufficient to warrant immediate defensive action.

Observed attack timeline and infrastructure

Rapid7’s telemetry identified exploitation beginning on or around May 17–18, 2026. The earliest observed exploitation originated from infrastructure hosted by Vultr, with a second wave on May 21 from infrastructure tied to Dromatics Systems. By May 29, 2026, the vulnerability had been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, underscoring its real-world abuse.

Immediate mitigations and recommended actions

Patch immediately: Install the latest PAN-OS updates provided by Palo Alto Networks to remediate CVE-2026-0257.
Disable authentication override: If possible, turn off GlobalProtect’s authentication override feature until you can confirm a safe configuration or apply the patch.
Use a dedicated certificate: Move authentication override to a unique certificate dedicated only to that feature and avoid sharing that certificate with other services on the device.
Inventory and isolate: Identify all GlobalProtect portals and gateways in your environment, prioritize unpatched or misconfigured devices, and isolate high-risk appliances where practical.
Monitor and hunt: Review VPN logs and authentication events for unexpected override-cookie authentications, especially attempts targeting local administrative accounts. Look for anomalous source IPs, unusual session establishment behavior, or connections from the infrastructure types Rapid7 reported.
Rotate credentials and certificates where practical: After investigation and remediation, rotate any certificates or admin credentials that could have been involved in exploited sessions.

Detection considerations and what to look for

Because some exploit attempts accepted forged cookies but did not result in full VPN sessions, defenders should not assume failed session establishment means no compromise attempt occurred. Look for:

Authentication events that reference override cookies or unexpected authentication methods,
Connections originating from the IP ranges or hosting providers reported in telemetry,
Any signs of post-authentication activity or attempts to pivot from the VPN gateway to internal resources.

Longer-term hardening

Beyond immediate fixes, treat this incident as a reminder to harden VPN infrastructure: reduce reliance on single authentication mechanisms that can be forged, apply strong certificate hygiene (unique certificates per function), enforce least privilege for administrative accounts, and maintain timely patching and configuration audits for edge devices.

Conclusion

CVE-2026-0257 demonstrates how a configuration-dependent flaw can quickly escalate when proof-of-concept techniques are weaponized and used in the wild. Organizations running GlobalProtect should act now: install Palo Alto’s patches, disable or reconfigure authentication override functionality, hunt for suspicious authentication activity, and prioritize any unpatched appliances for remediation. Rapid detection and containment will limit the chance that an exploit becomes a foothold for deeper intrusions.