VYPR
kevPublished May 29, 2026· Updated Jun 5, 2026· 12 sources

Rapid7 Reports Active Exploitation of PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257)

Rapid7 MDR observed exploitation of CVE-2026-0257, an authentication bypass in Palo Alto Networks PAN-OS and Prisma Access GlobalProtect, with attackers using cookie-based authentication to access internal networks.

Rapid7's Managed Detection and Response (MDR) team has observed active exploitation of CVE-2026-0257, a medium-severity authentication bypass vulnerability in Palo Alto Networks PAN-OS and Prisma Access GlobalProtect. The flaw, disclosed by Palo Alto Networks on May 13, 2026, allows remote unauthenticated attackers to establish VPN connections when authentication override cookies are enabled. Rapid7 urges organizations to treat this vulnerability as critical due to the potential impact on edge-facing enterprise VPN appliances.

The earliest observed exploitation occurred on May 17, 2026, with Rapid7 MDR detecting suspicious cookie authentication to local admin accounts across multiple customer environments. The attackers used IP addresses from hosting provider Vultr, and Rapid7 confirmed the activity as exploitation of CVE-2026-0257 through analysis of Palo Alto tech support files and successful proof-of-concept validation. A second wave of exploitation was observed on May 21, originating from Dromatics Systems, with the same MAC address suggesting a single threat actor behind both waves.

The vulnerability lies in the authentication override feature, which allows GlobalProtect portals or gateways to issue cookies to authenticated users for future communications. The flaw requires a specific configuration where the certificate used to encrypt and decrypt authentication override cookies differs from the certificate used for the GlobalProtect portal or gateway's HTTPS service. Rapid7's technical analysis of the /usr/local/bin/gpsvc binary revealed that the main_AuthWithCookie function decrypts incoming cookie values from HTTP form fields portal-userauthcookie or portal-prelogonuserauthcookie during POST requests to /ssl-vpn/login.esp.

Rapid7 observed that in 8 out of 10 impacted MDR customers, attackers obtained the authentication override cookie but did not use it to establish a VPN session. In the two environments where VPN sessions were established, Rapid7 did not observe any follow-on lateral movement or further malicious activity. The attackers used cookie authentication to log in as the local 'admin' account, with authentication logs showing successful logins from Linux and Windows clients.

Palo Alto Networks has released patches for affected versions of PAN-OS and Prisma Access. Rapid7 strongly recommends that organizations apply the vendor-supplied patches urgently, as the vulnerability provides a direct path into internal networks through an edge-facing VPN appliance. Organizations should also review their GlobalProtect configurations to ensure authentication override cookies are properly secured and that certificate configurations align with vendor recommendations.

This incident highlights the ongoing risk posed by authentication bypass vulnerabilities in perimeter devices, which remain a top target for threat actors seeking initial access to enterprise networks. The exploitation of CVE-2026-0257 follows a pattern of attackers targeting VPN appliances and edge services, as seen in previous campaigns against Ivanti, Citrix, and other vendors. Rapid7's findings underscore the importance of treating medium-severity CVEs with a critical mindset when they affect internet-facing authentication mechanisms.

CISA has now added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) Catalog, formally confirming active exploitation and ordering Federal Civilian Executive Branch agencies to remediate the flaw by a specified due date under Binding Operational Directive 22-01. While Rapid7's earlier report detailed the technical exploitation observed in the wild, CISA's KEV inclusion elevates the urgency for all organizations, not just federal agencies, to prioritize patching this authentication bypass in Palo Alto Networks PAN-OS and Prisma Access GlobalProtect.

The article adds that CISA added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog on May 29, 2026, and provides a detailed breakdown of two exploitation waves observed by Rapid7 starting May 17, 2026. Attackers used spoofed MAC addresses and machine names (GP-CLIENT and DESKTOP-GP01) to masquerade as legitimate endpoints, with some victims receiving full VPN IP assignments granting direct internal network access. The article also lists specific patched versions and recommends generating a dedicated certificate for authentication override cookie encryption, never sharing it with the HTTPS service.

Palo Alto Networks updated its advisory on May 29, 2026, confirming limited exploit attempts on unpatched devices. Rapid7 reported two waves of exploitation starting May 17, with the second wave involving VPN IP assignment and internal network access, though no follow-on activity was observed. The vendor urges immediate patching or temporary mitigations such as disabling authentication override or generating a new certificate.

Palo Alto Networks has now issued its own warning confirming active exploitation of CVE-2026-0257 in the wild, urging customers to immediately apply patches for the authentication bypass flaw in PAN-OS GlobalProtect VPN. The vendor's advisory provides updated guidance on affected versions and mitigation steps, reinforcing earlier findings from Rapid7 MDR that observed attackers using cookie-based authentication to breach corporate networks.

Rapid7's latest observations confirm that attackers are actively exploiting the authentication bypass by sending forged cookies to GlobalProtect VPN portals. In 8 out of 10 impacted MDR customers, the firewall accepted the forged cookie without establishing a full VPN session, though no lateral movement has been detected yet. Palo Alto Networks disclosed the vulnerability on May 13 and has released hotfixes for affected PAN-OS versions.

Rapid7's Managed Detection and Response team observed successful exploitation attempts across multiple customers, with attackers using forged cookies to bypass authentication. In 8 out of 10 impacted environments, the Palo Alto firewall accepted the forged cookie without establishing a full VPN session, though no lateral movement has been detected so far. The vulnerability, disclosed by Palo Alto Networks on May 13, continues to be a target for limited but active exploitation attempts.

SecurityWeek reports that exploitation of CVE-2026-0257 began just four days after public disclosure and has continued for weeks, underscoring the urgency for organizations to apply available hotfixes. The authentication bypass affects PAN-OS firewalls and Prisma Access GlobalProtect, with unauthenticated attackers able to bypass authentication mechanisms on unpatched devices.

CISA has added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog, giving federal agencies until June 1 to patch. Palo Alto Networks has revised its advisory, elevating the severity rating and attaching its highest urgency label, confirming limited exploit attempts on unpatched devices. The vulnerability affects PAN-OS deployments sharing certificates between HTTPS services and authentication override cookies, enabling attackers to forge cookies and gain unauthorized VPN access. Rapid7 observed multiple waves of activity since May 17, with attackers obtaining VPN IP addresses and network access, though no lateral movement was confirmed.

Palo Alto Networks updated its advisory on May 29 to confirm limited exploit attempts against unpatched devices, and CISA added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog the same day. Rapid7 observed two attack waves — the first on May 17 using forged authentication cookies, and a second on May 21 where attackers obtained VPN addresses and gained internal network access. The vendor recommends using a dedicated certificate for authentication-override cookies or disabling the feature entirely as interim mitigations.

The new article highlights that attackers are exploiting CVE-2026-0257 by forging valid authentication cookies using the appliance's publicly available TLS certificate, a mechanism not detailed in previous reports. It also notes that the vulnerability was initially rated medium by Palo Alto Networks before being escalated to critical due to observed in-the-wild exploitation, with Rapid7 observing new victims during a second wave of activity on May 21.

CISA has officially added CVE-2026-0257, a critical authentication bypass vulnerability affecting Palo Alto Networks' PAN-OS, to its Known Exploited Vulnerabilities (KEV) catalog. This inclusion confirms that the flaw, which allows remote attackers to bypass authentication and gain unauthorized VPN access, is being actively exploited in the wild. Federal agencies have been given a strict remediation deadline of June 1, 2026, underscoring the urgency for all organizations to apply available patches or implement vendor-recommended mitigations immediately.

This Unit 42 threat brief provides specific indicators of compromise (IOCs) for the active exploitation of CVE-2026-0257, including a list of malicious IP addresses and suspicious host/device identifiers observed in GlobalProtect logs. It also details post-Proof of Concept (PoC) release indicators and highlights Palo Alto Networks' Cortex Xpanse's ability to identify exposed gateways and portals.

Synthesized by Vypr AI