Palo Alto Networks is warning that hackers at the moment are exploiting a PAN-OS GlobalProtect authentication bypass flaw, tracked as CVE-2026-0257, in assaults trying to breach company networks.
The corporate mounted the CVE-2026-0257 flaw earlier this month, warning that it could possibly be used to determine unauthorized VPN connections on the gadget.
“GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software program permits the attacker to bypass safety restrictions and set up an unauthorized VPN connection,” reads Palo Alto’s advisory.
The flaw acquired a Medium severity score as a result of it requires units to be configured with authentication override cookies enabled and a particular certificates configuration.
Nevertheless, on Friday, Palo Alto Networks up to date the advisory to warn that the flaw was now being actively exploited in assaults towards unpatched units, elevating the severity score to Excessive.
“Palo Alto Networks has develop into conscious of restricted exploit makes an attempt on unpatched PAN-OS units with out mitigations utilized,” reads the replace.
This replace comes after Rapid7 warned that it had noticed the flaw being exploited towards quite a few prospects beginning on Might 17.
“Rapid7 MDR recognized profitable exploitation throughout quite a few prospects, nevertheless we didn’t observe any indication of profitable lateral motion from the units. The earliest date for noticed exploitation was Might 17, 2026,” explains Rapid7.
“As of Might 29, 2026, this vulnerability has been added to the CISA KEV.”
In keeping with Rapid7, the assaults started with hackers authenticating to GlobalProtect gateways utilizing solid authentication override cookies that focused the native administrator account.
The corporate first noticed exploitation on Might 18 from infrastructure hosted by Vultr, with a second wave of assaults detected on Might 21 originating from Dromatics Programs.
In some circumstances, attackers had been in a position to connect with the gadget by way of VPN utilizing solid cookies, granting them entry to inside networks. Nevertheless, Rapid7 says that in lots of incidents, though the equipment accepted the cast cookie, they had been unable to determine a full VPN session.
Rapid7’s investigation into affected prospects discovered that the impacted units had GlobalProtect authentication override cookies enabled and had been configured in a manner that allowed attackers to forge legitimate authentication cookies.
The researchers say the flaw stems from PAN-OS’s validation of authentication override cookies.
A GlobalProtect VPN gadget decrypts most of these cookies utilizing a configured non-public key after which trusts the decrypted contents with out performing any signature verification.
If the identical certificates is reused for each HTTPS providers and authentication override cookies, attackers can get hold of the corresponding public key by way of the HTTPS session after which use it to create solid cookies that the gadget will settle for as legit.
Rapid7 developed a proof-of-concept exploit that demonstrates how an attacker can retrieve the general public certificates uncovered by a GlobalProtect portal or gateway, generate a solid authentication override cookie for an arbitrary person, and authenticate with out understanding legitimate credentials. Utilizing this PoC, the researchers efficiently authenticated to an unpatched GlobalProtect gateway.
Organizations utilizing GlobalProtect VPN units ought to instantly set up the newest safety updates to patch the failings.
Admins also can mitigate the flaw by turning off the authentication override characteristic or using a special certificates for this characteristic and never sharing it with different providers on the gadget.
CISA has now added the flaw to its Recognized Exploited Vulnerability catalog, ordering federal businesses to mitigate the flaw by June 1, 2026.
Automated pentesting instruments ship actual worth, however they had been constructed to reply one query: can an attacker transfer by the community? They weren’t constructed to check whether or not your controls block threats, your detection guidelines fireplace, or your cloud configs maintain.
This information covers the 6 surfaces you really have to validate.
