Palo Alto Networks has confirmed active exploitation of the CVE-2026-0257 vulnerability (CVSS 7.8) in PAN-OS and Prisma Access products. The vulnerability allows an attacker to bypass authentication in the GlobalProtect portal and gateway components and establish an unauthorized VPN connection to an organization’s internal network. According to Rapid7, successful exploitation has been observed across numerous customers starting on May 17, 2026. Organizations using GlobalProtect with authentication override via cookie enabled must immediately apply the patch or implement temporary protective measures.
Technical details of the vulnerability
According to the official Palo Alto Networks advisory published on May 13, 2026, the vulnerability is an authentication bypass in the GlobalProtect portal and gateway components of PAN-OS software. Exploitation allows an attacker to circumvent security mechanisms and establish an unauthorized VPN connection to the protected network.
Successful exploitation requires several conditions to be met simultaneously:
- A GlobalProtect portal or gateway is configured on the firewall
- The authentication override via cookie feature (authentication override cookies) is enabled
- A specific certificate configuration is in place
The CVSS 7.8 score classifies the vulnerability as medium severity, but its real-world impact potential is significantly higher than the formal rating suggests. An authentication bypass on a perimeter VPN device effectively grants an attacker direct access to the internal network — this makes the vulnerability strategically critical for any organization that relies on GlobalProtect as its primary remote access mechanism.
Exploitation timeline
On May 29, 2026, Palo Alto Networks updated its security advisory, stating that the company had become aware of “limited attempts at exploitation on unpatched PAN-OS devices without mitigations applied.”
A more detailed picture was provided by Rapid7 in its research report. According to the researchers, successful exploitation was observed across numerous customer environments, and the attacks occurred in two waves:
- First wave — the start of exploitation was recorded on May 17, 2026, just four days after the advisory was published
- Second wave — May 21, 2026, with a more advanced attack scenario
Rapid7 believes both waves were likely carried out by the same threat actor, although the specific group has not been identified. In the second wave of attacks, researchers report that in two cases a VPN IP address was assigned after authentication via cookie, indicating that the attacker had obtained full access to the internal network. At the same time, the researchers note that no further malicious activity was observed in the compromised environments.
Impact assessment
The absence of observable post-exploitation activity should not be misleading. There are several possible explanations for this: the attacker may have been conducting reconnaissance for later targeted operations, collecting VPN session credentials for resale on underground markets, or the activity simply went undetected by monitoring tools.
The vulnerability is particularly dangerous for organizations where GlobalProtect is the only perimeter remote access mechanism. In such cases, a successful authentication bypass is equivalent to obtaining a legitimate employee VPN access — with corresponding network privileges and the ability to move laterally.
The four-day gap between the advisory’s publication (May 13) and the first observed exploitation (May 17) demonstrates a minimal response window. Organizations that did not apply the patch or temporary measures in the first days after disclosure found themselves under direct threat.
Mitigation recommendations
Palo Alto Networks offers two temporary mitigation options until a full patch can be applied:
- Disable the authentication override feature (authentication override) — this completely removes the attack vector but may impact user experience for repeat VPN connections
- Generate a new certificate used exclusively for the authentication override function — this preserves functionality while invalidating any previously intercepted or forged cookies
In addition to these measures, it is recommended to:
- Audit GlobalProtect logs for anomalous VPN sessions starting from May 13, 2026
- Check for unexpected VPN IP address assignments, especially from unusual geographic regions
- Ensure that all PAN-OS devices with GlobalProtect have the latest firmware version with the fix installed
- Consider implementing an additional factor of authentication for VPN connections that does not depend on the cookie mechanism
Applying the Palo Alto Networks patch should be a top priority for all organizations running a GlobalProtect portal or gateway with authentication override enabled. Given the confirmed active exploitation and the minimal window between disclosure and the start of attacks, delaying the update creates a direct risk of unauthorized access to internal infrastructure. Organizations unable to promptly update firmware should immediately apply one of the two temporary measures — disabling authentication override or replacing the certificate.
