PALO Alto Networks has issued a warning regarding an active exploitation of CVE-2026-0257, a vulnerability in PAN-OS that allows unauthorized users to bypass authentication and establish VPN connections. The flaw affects GlobalProtect portals and gateways but does not impact Panorama or Cloud NGFW deployments. Rapid7 confirmed exploitation across multiple customer environments soon after the vulnerability was disclosed.
Attackers can forge cookies using a misconfiguration in the authentication process, gaining access without credentials. The exploit was observed in two waves originating from specific infrastructures. Palo Alto and Rapid7 recommend patching affected systems or implementing configuration changes to mitigate the risk. Organizations are advised to scrutinize logins for certain IP addresses and hostnames associated with the exploit.