Palo Alto Networks has alerted customers about the ongoing exploitation of the authentication bypass vulnerability in PAN-OS GlobalProtect.
The vulnerability, tracked as CVE-2026-0257, lets unauthenticated actors bypass security measures and set up unsanctioned connections to vulnerable GlobalProtect portals and gateways. A high CVSS score of 7.8 was assigned for this vulnerability.
This issue was first disclosed by the company on 13 May, when it said it had seen limited exploitation attempts against unpatched devices.
The impacted environments involve PAN-OS and Prisma Access with specific GlobalProtect authentication override settings configured. Both Panorama and Cloud NGFW products are not impacted.
Security researchers have already confirmed that the attackers are exploiting the vulnerability. As per the details provided by Rapid7, the attacks involved the usage of fake authentication cookies to gain unauthorized access to the target’s VPNs. Evidence of exploitation dates back to at least 17 May.
The Palo Alto advisory was revised on 29 May, with reports confirming that the vulnerability had been added to government vulnerability watchlists following reports of actual exploitation.
GlobalProtect users are advised to patch their systems as soon as possible with the security patches provided by Palo Alto and to investigate their VPN log files for any signs of anomalous behavior.
Researchers warned that VPN authentication vulnerabilities are attractive to bad actors because they allow them to gain direct access to corporate systems.
It’s how you handle vulnerabilities that matters
Joshua Marpet, Senior product security consultant at Finite State, said: “Palo Alto is an extremely technically sophisticated organization. Why then, have they been plagued with 0days for the last few months? AI? Laid off people looking for ways to make money by bug bounties?”
He says the important thing here is not that they have yet another bug. “They do. They will. It’s inevitable. The important thing is that they are being open, honest, and transparent. As far as I can tell, they’re telling people as fast as they find out, and patching as fast as they can write the code. That’s the attitude you need with software companies. EVERYBODY gets vulnerabilities. It’s how they handle them that matters.”
Apply the fix or disable the override feature now
Uzair Gadit, CEO of Secure.com, added: “An authentication bypass on an internet-facing VPN gateway is about as serious as it gets, because it hands attackers a trusted path straight into the network. The fact that CVE-2026-0257 moved from advisory to active exploitation so quickly tells you patching alone is not a strategy.”
Gadit advised teams to apply the fix or disable the override feature now, then go back and hunt through VPN logs for sessions that should not exist. “The organizations that come out of this clean are the ones already reviewing connection activity continuously, not the ones starting today.”
Immediately audit firewall deployments
Damon Small, Board Member, at Xcape Inc, said: “Active exploitation of CVE-2026-0257 introduces severe financial and operational risks by allowing unauthenticated attackers to breach enterprise perimeter networks and establish unauthorized VPN connections. The flaw stems from a configuration intersection where the PAN-OS GlobalProtect portal or gateway reuses its primary service certificate for encrypting and decrypting authentication override cookies.”
Small added that because the associated public key is exposed on the open Internet, threat actors can generate arbitrary cookies to bypass access controls completely. “Security leaders must immediately audit firewall deployments for active authentication override configurations. To mitigate the immediate threat without disrupting remote operations, defenders should isolate these override functions to a dedicated certificate or disable the feature entirely until a formal firmware patch is applied.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.