Palo alto networks globalprotect vpn auth bypass flaw exploited in the wild

At a glance:

• CVE‑2026‑0257 in Palo Alto Networks GlobalProtect is now being actively exploited, raising its severity to High.
• Attacks originated from infrastructure hosted by Vultr (May 18) and Dromatics Systems (May 21).
• The vulnerability was added to the CISA Known Exploited Vulnerabilities catalog, with a federal mitigation deadline of June 1, 2026.

What happened

Palo Alto Networks disclosed a authentication‑override bypass in its PAN‑OS GlobalProtect VPN, tracked as CVE‑2026‑0257. The flaw allows an attacker to present a forged authentication‑override cookie and, if the device is configured to reuse the same certificate for HTTPS and cookie decryption, the appliance will accept the cookie without verifying a signature. Palo Alto initially rated the issue as Medium because exploitation required a specific configuration: authentication‑override cookies enabled and a shared certificate.

On 29 May 2026 the vendor updated the advisory, stating that the flaw was being actively exploited in the wild and bumping the severity to High. The update followed a Rapid7 report that the first exploitation attempts were seen on 17 May 2026. Rapid7’s Managed Detection and Response (MDR) team observed successful exploitation across multiple customers, though they did not see evidence of lateral movement beyond the VPN gateway.

How the flaw works

GlobalProtect decrypts authentication‑override cookies with a private key that is configured on the device. The decrypted payload is then trusted without any signature check. When the same X.509 certificate is used for both the portal’s HTTPS service and the cookie‑validation process, an attacker can retrieve the public key from the HTTPS handshake, craft a forged cookie signed with the corresponding private key, and present it to the gateway. The device treats the forged cookie as legitimate and establishes a VPN session for the attacker, potentially granting access to internal networks.

Rapid7 built a proof‑of‑concept exploit that automates the steps: retrieve the public certificate from the GlobalProtect portal or gateway, generate a forged authentication‑override cookie for an arbitrary user, and submit it to the VPN endpoint. Using this PoC, the researchers successfully authenticated to an unpatched GlobalProtect gateway, confirming the practicality of the attack chain.

Exploitation timeline

• May 17 2026 – Rapid7 first observes exploitation attempts against customers.
• May 18 2026 – The initial wave of attacks is traced to infrastructure hosted by Vultr.
• May 21 2026 – A second wave originates from Dromatics Systems.
• May 29 2026 – Palo Alto updates its advisory to note active exploitation and raises severity to High.
• June 1 2026 – CISA adds CVE‑2026‑0257 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to remediate.

Mitigation and response

Palo Alto Networks released patches for PAN‑OS earlier in May 2026. Administrators should apply the latest security updates immediately. As a defense‑in‑depth measure, the authentication‑override feature can be disabled entirely, or a dedicated certificate can be provisioned for this feature that is not reused for any other service on the appliance. Organizations should also audit their GlobalProtect configurations to ensure that authentication‑override cookies are not enabled on devices that do not need them.

Rapid7 advises customers to verify that the vulnerable configuration is no longer present, monitor VPN logs for anomalous cookie‑based authentication attempts, and employ network‑level segmentation to limit the impact of a compromised VPN gateway.

Implications for the broader security landscape

The GlobalProtect bypass underscores a recurring theme in modern VPN implementations: the reuse of cryptographic material across disparate functions can create unintended trust paths. As enterprises adopt zero‑trust architectures, the reliance on VPNs for remote access remains high, making such flaws attractive targets. The rapid public‑private coordination—Palo Alto’s patch, Rapid7’s detection, and CISA’s KEV listing—demonstrates an effective response pipeline, but also highlights the need for continuous configuration hygiene and timely patching.

For organizations that have not yet migrated to a zero‑trust network access (ZTNA) model, the incident serves as a reminder to evaluate whether legacy VPN solutions are still appropriate or if a more granular, identity‑centric approach would reduce the attack surface.

Bottom line: CVE‑2026‑0257 is a high‑severity, actively exploited vulnerability that can grant attackers VPN access to internal networks. Prompt patching, configuration hardening, and vigilant monitoring are essential to prevent compromise.