Palo Alto GlobalProtect VPN authentication bypass flaw now exploited in attack

Palo Alto Networks warns that hackers are exploiting the PAN-OS GlobalProtect authentication bypass flaw, tracked as CVE-2026-0257, in assaults trying to penetrate company networks.

The corporate mounted the CVE-2026-0257 flaw earlier this month and warned that it might be used to determine unauthorized VPN connections on units.

“The GlobalProtect portal and gateway in Palo Alto Networks’ PAN-OS® software program permits attackers to bypass safety restrictions and set up unauthorized VPN connections,” Palo Alto’s advisory reads.

This vulnerability is rated as Average severity as a result of it requires configuring the gadget by enabling an authentication override cookie and configuring a particular certificates.

Nonetheless, on Friday, Palo Alto Networks up to date its advisory to warn that the flaw is now being actively exploited in assaults in opposition to unpatched units and raised its severity score to “excessive.”

“Palo Alto Networks has develop into conscious of a restricted exploitation try on unpatched PAN-OS units that should not have mitigations utilized,” the replace states.

This replace comes after Rapid7 warned that it had seen the flaw being exploited in opposition to a lot of clients since Might seventeenth.

“Rapid7 MDR recognized a profitable exploit throughout a lot of clients, however no indication of profitable lateral motion from the gadget was noticed. The earliest noticed exploit date was Might 17, 2026,” Rapid7 explains.

“As of Might 29, 2026, this vulnerability has been added to CISA KEV.”

In keeping with Rapid7, the assault started with hackers authenticating to the GlobalProtect gateway utilizing a solid authentication override cookie concentrating on an area administrator account.

The corporate first noticed exploitation from Vultr-hosted infrastructure on Might 18th, and a second wave of assaults from Dromatics Methods was detected on Might twenty first.

In some circumstances, attackers had been in a position to make use of solid cookies to hook up with your gadget over a VPN and grant entry to your inside community. Nonetheless, in line with Rapid7, in lots of incidents, the equipment accepted the cast cookie however was unable to determine a full VPN session.

Rapid7 investigated the affected clients and located that the affected units had the GlobalProtect authentication override cookie enabled and configured to permit an attacker to forge a sound authentication cookie.

Researchers say the flaw is because of PAN-OS’s validation of authentication override cookies.

GlobalProtect VPN units use the configured personal key to decrypt some of these cookies and belief the decrypted content material with out performing signature verification.

If the identical certificates is reused for each the HTTPS service and the authentication override cookie, an attacker may get hold of the corresponding public key over the HTTPS session and use it to create a solid cookie that the gadget accepts as legit.

Rapid7 has developed a proof-of-concept exploit that demonstrates how an attacker can get hold of a public certificates uncovered by a GlobalProtect portal or gateway, generate a solid authentication override cookie for an arbitrary consumer, and authenticate with out figuring out legitimate credentials. Utilizing this PoC, researchers had been in a position to efficiently authenticate to an unpatched GlobalProtect gateway.

Organizations utilizing GlobalProtect VPN units ought to instantly set up the newest safety updates to patch flaws.

Directors may also mitigate this flaw by turning off the Authentication Override characteristic or by leveraging a separate certificates for this characteristic and never sharing it with different providers on the gadget.

CISA has now added this flaw to its catalog of identified and exploited vulnerabilities and is directing federal businesses to mitigate this flaw by June 1, 2026.