RAPID 7 identified attempts to exploit the CVE-2026-0257 vulnerability in PAN-OS GlobalProtect. This medium-severity authentication bypass allows unauthenticated remote attackers to establish VPN connections under certain conditions. Despite its CVSSv4 score, Rapid7 considers it critical due to potential organizational impact. Evidence of exploitation was first observed on May 17, 2026, with suspicious behaviors linked to specific MAC addresses and hosting providers.
The vulnerability stems from a misconfiguration where the same certificate is used for authentication cookies and HTTPS services. Organizations are urged to patch affected products immediately. A publicly available proof-of-concept script allows testing for vulnerability through cookie forging, highlighting the risks for users with shared certificates. Specific product versions affected include various cuts of PAN-OS, with recommendations for mitigation through certificate management and feature adjustments.