Summaries
CVE-2026-0257 — PAN-OS GlobalProtect Authentication Bypass Under Active Exploitation
CVE-2026-0257 is an actively exploited authentication bypass in Palo Alto Networks PAN-OS GlobalProtect, allowing unauthorized VPN connections to affected firewalls — earliest observed exploitation May 17, 2026.
View on Graph
Summary
Palo Alto Networks has warned that CVE-2026-0257 — a medium-severity (CVSS 7.8) authentication bypass vulnerability in PAN-OS GlobalProtect portal and gateway — is under active exploitation. The flaw affects firewalls with GlobalProtect portal or gateway configured when authentication override cookies are enabled and a specific certificate configuration exists.
Rapid7 reported observing successful exploitation across numerous customers, with the earliest activity dating back to May 17, 2026, followed by a second wave on May 21. Both exploitation sets are assessed to be the work of the same threat actor. In the second wave, attackers successfully established VPN sessions with internal network access in two observed cases, though no follow-on post-exploitation activity was confirmed in those environments.
The vulnerability allows an unauthenticated attacker to bypass security restrictions and establish an unauthorized VPN connection. Palo Alto Networks released an advisory on May 13, 2026, and updated it on May 29 to confirm active exploitation. Temporary mitigations include disabling the authentication override feature or generating a new certificate for exclusive use with authentication override.
This follows a pattern of edge VPN appliance exploitation that has become a primary initial access vector in 2025–2026. The FBI’s 2025 Internet Crime Report and multiple incident response vendors have noted that VPN appliances — Fortinet, Ivanti, Palo Alto — represent a critical attack surface for ransomware and nation-state intrusions.
Why It Matters
CVE-2026-0257 exploits an edge-facing enterprise VPN appliance — the same class of vulnerability that has enabled some of the most damaging ransomware and espionage campaigns of the past two years. An authentication bypass in a perimeter VPN gateway means attackers gain network access without credentials, without MFA bypass, and without user interaction. For organizations running PAN-OS with GlobalProtect, this is an urgent patch-and-mitigate scenario. The gap between advisory publication (May 13) and confirmed exploitation (May 17) was only four days, underscoring the speed at which adversaries weaponize newly disclosed vulnerabilities.
Defender Takeaways
- Immediately apply the PAN-OS patch for CVE-2026-0257 or implement temporary mitigations (disable authentication override or regenerate certificates).
- Audit GlobalProtect configurations for authentication override cookie settings and certificate configurations.
- Monitor VPN authentication logs for anomalous cookie-based authentication from unfamiliar source IPs.
- Check for unauthorized VPN sessions established after May 17, 2026 — review session logs for the “authenticated via override” pattern.
- Include this CVE in vulnerability management prioritization — edge appliance CVEs with known exploitation should be treated as critical regardless of CVSS score.
- Review Rapid7’s indicators and detection guidance for CVE-2026-0257 exploitation patterns.
Source
Title: PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation — The Hacker News
URL: https://thehackernews.com/2026/05/pan-os-globalprotect-authentication.html
Related
- Zero Day & CVE Response — detection and response for T1588.006 techniques
- Network Security Basics — detection and response for T1040, T1046 techniques
- Initial Access Response — detection and response for T1566, T1190, T1189, T1133 techniques