Rapid7 Reports Active Exploitation of PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257)

Rapid7's Managed Detection and Response (MDR) team has observed active exploitation of CVE-2026-0257, a medium-severity authentication bypass vulnerability in Palo Alto Networks PAN-OS and Prisma Access GlobalProtect. The flaw, disclosed by Palo Alto Networks on May 13, 2026, allows remote unauthenticated attackers to establish VPN connections when authentication override cookies are enabled. Rapid7 urges organizations to treat this vulnerability as critical due to the potential impact on edge-facing enterprise VPN appliances.

The earliest observed exploitation occurred on May 17, 2026, with Rapid7 MDR detecting suspicious cookie authentication to local admin accounts across multiple customer environments. The attackers used IP addresses from hosting provider Vultr, and Rapid7 confirmed the activity as exploitation of CVE-2026-0257 through analysis of Palo Alto tech support files and successful proof-of-concept validation. A second wave of exploitation was observed on May 21, originating from Dromatics Systems, with the same MAC address suggesting a single threat actor behind both waves.

The vulnerability lies in the authentication override feature, which allows GlobalProtect portals or gateways to issue cookies to authenticated users for future communications. The flaw requires a specific configuration where the certificate used to encrypt and decrypt authentication override cookies differs from the certificate used for the GlobalProtect portal or gateway's HTTPS service. Rapid7's technical analysis of the /usr/local/bin/gpsvc binary revealed that the main_AuthWithCookie function decrypts incoming cookie values from HTTP form fields portal-userauthcookie or portal-prelogonuserauthcookie during POST requests to /ssl-vpn/login.esp.

Rapid7 observed that in 8 out of 10 impacted MDR customers, attackers obtained the authentication override cookie but did not use it to establish a VPN session. In the two environments where VPN sessions were established, Rapid7 did not observe any follow-on lateral movement or further malicious activity. The attackers used cookie authentication to log in as the local 'admin' account, with authentication logs showing successful logins from Linux and Windows clients.

Palo Alto Networks has released patches for affected versions of PAN-OS and Prisma Access. Rapid7 strongly recommends that organizations apply the vendor-supplied patches urgently, as the vulnerability provides a direct path into internal networks through an edge-facing VPN appliance. Organizations should also review their GlobalProtect configurations to ensure authentication override cookies are properly secured and that certificate configurations align with vendor recommendations.

This incident highlights the ongoing risk posed by authentication bypass vulnerabilities in perimeter devices, which remain a top target for threat actors seeking initial access to enterprise networks. The exploitation of CVE-2026-0257 follows a pattern of attackers targeting VPN appliances and edge services, as seen in previous campaigns against Ivanti, Citrix, and other vendors. Rapid7's findings underscore the importance of treating medium-severity CVEs with a critical mindset when they affect internet-facing authentication mechanisms.

CISA has now added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) Catalog, formally confirming active exploitation and ordering Federal Civilian Executive Branch agencies to remediate the flaw by a specified due date under Binding Operational Directive 22-01. While Rapid7's earlier report detailed the technical exploitation observed in the wild, CISA's KEV inclusion elevates the urgency for all organizations, not just federal agencies, to prioritize patching this authentication bypass in Palo Alto Networks PAN-OS and Prisma Access GlobalProtect.