ATTACKERS are actively exploiting a newly disclosed flaw in Palo Alto Networks PAN-OS to bypass GlobalProtect VPN authentication, allowing unauthenticated VPN access. The vulnerability tracked as CVE-2026-0257 was added to CISA's Known Exploited Vulnerabilities catalogue after reports of live attacks, as detailed in a Unit 42 analysis highlighting the active abuse. The flaw permits an attacker to establish a VPN session without supplying valid credentials, effectively granting network privileges.
CVE-2026-0257 carries a CVSS score of 7.8 and affects PAN-OS releases that predate the patch issued on 13 May 2026. The issue arises from the way authentication override cookies are handled when combined with specific certificate settings, allowing a malicious cookie to be accepted as valid. Security researchers noted that this manipulation lets an attacker spoof an authorised session, as explained in a DarkReading overview of the vulnerability.
Unit 42 reported that the first exploitation attempts were spotted just four days after the advisory became public, with Rapid7 later confirming at least two distinct waves of activity. A proof‑of‑concept script released by Rapid7 helped organisations detect the malicious cookie patterns in traffic. SecurityWeek noted that exploit attempts were observed as early as 17 May, only days after the patch was made available in their coverage.
On 27 May 2026 the U.S. CISA placed CVE-2026-0257 in its Known Exploited Vulnerabilities catalogue, requiring federal agencies to remediate by 1 June 2026. The advisory emphasised that the flaw enables unauthenticated VPN access to the GlobalProtect portal and gateway. Although no particular threat actor has been attributed to the campaign, analysts have described the activity as opportunistic and noted its presence across various industries, as outlined in a SecurityAffairs piece detailing the CISA addition.
Network owners should apply the latest PAN-OS update that fixes the authentication bypass as a matter of priority. Administrators are also urged to inspect GlobalProtect logs for unexpected IP addresses or anomalous device hostnames that could indicate abuse. Disabling any authentication override mechanisms and rotating the certificates used for VPN validation are additional precautions recommended by Palo Alto Networks, a point echoed in an InfoSecurity Magazine article on the flaw.
Continuous surveillance for signs of post‑exploitation behaviour is essential, and any suspicious VPN connections should be quarantined and investigated following established incident response playbooks. The official Palo Alto security advisory provides specific indicators of compromise and guidance on verifying patch levels here. Maintaining an up‑to‑date asset inventory and ensuring timely application of security updates remain the baseline defences against this actively exploited issue.
Organisations should also consider restricting GlobalProtect access to known trusted networks and enforcing multi‑factor authentication where feasible to reduce the impact of similar flaws. Regularly testing VPN configurations against known attack patterns can help detect misconfigurations before they are exploited. Staying informed through vendor security feeds and industry bulletins ensures that emerging threats are addressed promptly.