- What:
CVE-2026-0257is an authentication bypass in Palo Alto Networks PAN-OS GlobalProtect portal/gateway — actively exploited since May 17, 2026, just four days after disclosure. - Impact: Attackers forge auth-override cookies to establish unauthorized VPN connections and gain direct access to internal networks without valid credentials; two exploitation waves confirmed by Rapid7 across multiple customers.
- Fix / mitigation: Apply Palo Alto Networks patches immediately; if patching is not possible within 24-48 hours, disable the authentication override feature or generate a new certificate exclusively for auth override to eliminate the exploitable condition.
- Who's at risk: Any PAN-OS firewall running GlobalProtect portal or gateway with authentication override cookies enabled AND the specific vulnerable certificate configuration — devices without auth override cookies are not vulnerable.
Immediate Impact
CVE-2026-0257 is being actively exploited in production environments. Palo Alto Networks confirmed on May 29, 2026 that attackers are targeting unpatched PAN-OS devices, while Rapid7 has identified successful compromises across multiple customer networks. The vulnerability affects firewalls with GlobalProtect portal or gateway configured when authentication override cookies are enabled alongside a specific certificate configuration. Attackers can bypass authentication controls entirely and establish unauthorized VPN connections to internal networks.
The U.S. Cybersecurity and Infrastructure Security Agency added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog, mandating Federal Civilian Executive Branch agencies remediate by June 1, 2026. This classification underscores the severity of active exploitation despite the vulnerability's medium CVSS rating of 7.8.
Attack Timeline and Threat Actor Activity
Rapid7's telemetry reveals exploitation began May 17, 2026—just four days after Palo Alto Networks published its initial advisory on May 13. A second wave of attacks occurred May 21, with both campaigns attributed to the same threat actor based on tactical similarities. The compressed timeline between disclosure and exploitation demonstrates sophisticated adversary capabilities and likely indicates pre-existing knowledge or rapid reverse engineering of the vulnerability.
During the second wave, Rapid7 observed VPN IP assignment following cookie authentication in two customer cases, confirming attackers successfully gained access to internal networks. No follow-on activity was detected in environments where VPN sessions were established, suggesting either initial reconnaissance phases or detection before lateral movement could occur.
This vulnerability only affects firewalls with GlobalProtect portal or gateway configured when authentication override cookies are enabled AND a specific certificate configuration exists. Organizations not using authentication override cookies are not vulnerable. Verify your configuration immediately.
Technical Details
The authentication bypass exists in the GlobalProtect portal and gateway components of PAN-OS software and Prisma Access. The flaw allows attackers to circumvent security restrictions without valid credentials when the vulnerable configuration is present. Authentication override cookies, designed for specific legitimate use cases, become the attack vector when combined with the vulnerable certificate setup.
Unlike many VPN vulnerabilities requiring authentication or user interaction, CVE-2026-0257 enables complete authentication bypass. This grants attackers the same network access as legitimate VPN users, including potential access to sensitive internal resources, databases, and systems not exposed to the internet. The edge-facing nature of GlobalProtect deployments makes this particularly dangerous—these devices are internet-accessible by design.
Affected Products and Versions
The vulnerability impacts PAN-OS software across multiple versions and Prisma Access deployments. Palo Alto Networks has released patches addressing CVE-2026-0257, though specific version numbers were not detailed in the public advisory. Organizations should consult Palo Alto Networks' security advisory directly for complete version information and upgrade paths specific to their deployments.
Only firewalls with both GlobalProtect portal or gateway configured AND authentication override cookies enabled alongside the specific vulnerable certificate configuration are at risk. Organizations without authentication override cookies enabled are not vulnerable regardless of PAN-OS version.
Immediate Actions Required
Apply vendor patches immediately. If patching cannot be completed within 24-48 hours, implement temporary mitigations: disable authentication override feature OR generate and deploy a new certificate exclusively for authentication override. Both mitigations eliminate the exploitable condition.
Organizations running affected PAN-OS versions with GlobalProtect must take action urgently. Rapid7 emphasizes the significant impact potential of authentication bypass in edge-facing enterprise VPN appliances. The recommended remediation sequence:
- Identify all PAN-OS devices with GlobalProtect portal or gateway configured
- Determine which devices have authentication override cookies enabled
- Apply vendor-supplied patches immediately on an emergency change basis
- If immediate patching is impossible, disable authentication override feature as temporary mitigation
- Alternative temporary mitigation: generate new certificate for exclusive use with authentication override
- Review VPN access logs from May 17 forward for suspicious authentication patterns or unexpected VPN sessions
- Investigate any anomalous internal network activity from VPN-assigned IP addresses during the exploitation window
Detection and Forensics
Organizations should immediately review GlobalProtect authentication logs for anomalies dating back to May 17, 2026. Indicators of compromise include VPN sessions established without corresponding authentication events, authentication override cookie usage from unexpected sources, or VPN IP assignments to unknown endpoints. Successful exploitation may appear as legitimate VPN traffic, making detection challenging without baseline understanding of normal patterns.
Focus forensic efforts on VPN-assigned IP addresses in internal network logs. Look for reconnaissance activity, lateral movement attempts, or data exfiltration originating from VPN segments. The absence of follow-on activity in Rapid7's observations suggests attackers may be establishing persistent access or conducting low-and-slow reconnaissance to avoid detection. Assume compromise if you identify unexplained VPN sessions during the exploitation window.
Broader Context
CVE-2026-0257 represents the latest in ongoing targeting of enterprise VPN and edge security devices. Arctic Wolf recently reported continued exploitation of CVE-2026-35616, a critical FortiClient EMS vulnerability (CVSS 9.1) used to deliver EKZ Infostealer credential-harvesting malware. This pattern indicates sustained adversary focus on perimeter security infrastructure as initial access vectors.
Edge devices present attractive targets because they're internet-accessible by design, often run with elevated privileges, and provide direct paths to internal networks. The four-day window between Palo Alto's disclosure and observed exploitation demonstrates threat actors' capability to rapidly weaponize vulnerabilities in network security infrastructure. Organizations must treat patches for edge devices as emergency priorities, not routine maintenance.
Questions about your exposure?
RedEye Security provides assessments for organizations that need to understand their real risk.
Talk to us