Key Takeaways
- Palo Alto Networks’ GlobalProtect VPN (CVE‑2026-0257) is being actively exploited to bypass authentication and gain unauthorized VPN access.
- The flaw stems from improper validation of “authentication override cookies” when the same certificate is reused for HTTPS and VPN authentication.
- Rapid7 observed exploitation as early as May 17, 2026; CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal remediation by June 1, 2026.
- Mitigations include disabling authentication‑override cookies, using separate certificates, network segmentation, and vigilant log monitoring.
- The incident highlights the growing risk of concentrated edge‑device functions and the shrinking window between disclosure and weaponization.
Overview of the Threat
Cybersecurity researchers and government agencies are sounding the alarm after attackers began actively exploiting a newly disclosed vulnerability affecting Palo Alto Networks’ widely used GlobalProtect VPN platform. The flaw, tracked as CVE‑2026-0257, raises fears of large‑scale corporate network intrusions because it enables threat actors to bypass authentication protections under certain configurations.
Vulnerability Details and Severity Escalation
The vulnerability affects PAN‑OS software used in Palo Alto Networks firewall appliances and allows unauthorized users to establish VPN connections without legitimate credentials. Initially disclosed with a “Medium” severity rating, Palo Alto Networks escalated its assessment to “High” after confirming real‑world exploitation of unpatched systems. The company now classifies the issue as high severity following evidence of active exploitation targeting internet‑facing GlobalProtect gateways.
Exploitation Attempts Detected Worldwide
In an updated security advisory, Palo Alto Networks acknowledged that exploit attempts against vulnerable devices are already underway. The warning followed a separate investigation by cybersecurity firm Rapid7, whose Managed Detection and Response (MDR) team observed exploitation activity beginning as early as May 17, 2026—only days after technical details surrounding the flaw became public. Rapid7 reported attacks across numerous customer environments, indicating that threat actors rapidly operationalized the vulnerability after disclosure.
How the Vulnerability Works
The flaw centers on a feature known as “authentication override cookies,” designed to streamline user authentication for GlobalProtect VPN sessions. Under normal circumstances, these cookies let previously authenticated users reconnect without re‑entering credentials. However, PAN‑OS improperly validates these cookies under specific configurations: it decrypts the cookie and trusts its contents without adequately verifying its digital signature. When organizations reuse the same certificate for both HTTPS services and authentication override functionality, attackers can extract the corresponding public key from publicly accessible HTTPS sessions and forge seemingly legitimate authentication cookies capable of impersonating arbitrary users—including local administrator accounts.
Proof‑of‑Concept Demonstrates Practical Impact
Rapid7 researchers developed a proof‑of‑concept exploit showing how attackers could retrieve exposed certificates, forge authentication cookies, and successfully authenticate to vulnerable GlobalProtect gateways without valid credentials. The attack method underscores the dangers of certificate reuse across multiple security functions, a practice still common in many enterprise environments despite longstanding warnings from cryptographic specialists. Successful VPN authentication alone grants attackers direct access to internal corporate networks, representing a severe risk even without observed lateral movement.
VPN Infrastructure Remains a Prime Target
The incident is the latest reminder that VPN infrastructure continues to serve as one of the most attractive targets for cybercriminals, ransomware groups, and state‑sponsored hackers. Since the COVID‑19 pandemic accelerated remote‑work adoption, VPN gateways have become essential components of enterprise security architecture. Their internet‑facing nature makes them high‑value entry points for attackers seeking initial access. Over the past several years, vulnerabilities affecting VPN vendors—including Palo Alto Networks, Ivanti, Fortinet, and Cisco—have repeatedly enabled widespread cyber intrusions, often exploited within days or even hours of public disclosure. Successful exploitation frequently bypasses endpoint detection systems and provides direct network‑level access, allowing attackers to appear as trusted internal users and complicating detection efforts.
Attack Infrastructure Linked to Cloud Hosting Providers
Rapid7’s investigation also shed light on the infrastructure used during the exploitation attempts. Researchers said the first wave of attacks originated from servers hosted by cloud provider Vultr; a second wave was later traced to infrastructure associated with Dromatics Systems. The use of rented cloud infrastructure has become increasingly common among sophisticated cybercriminal groups because it lets attackers rapidly rotate servers, obscure attribution, and blend malicious traffic into legitimate cloud‑hosted activity. Although attribution remains unclear, the exploitation patterns resembled rapid opportunistic scanning campaigns frequently associated with financially motivated threat actors. Once public exploit code becomes available, broader exploitation often follows quickly as less sophisticated attackers adopt the techniques.
CISA Adds Flaw to Known Exploited Vulnerabilities List
The seriousness of the threat escalated further after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE‑2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog. The KEV catalog reserves entries for vulnerabilities actively exploited in the wild and considered especially dangerous to government and critical‑infrastructure systems. Under Binding Operational Directive requirements, federal civilian agencies must remediate the flaw by June 1, 2026. Inclusion in the KEV list often signals elevated concern among federal cybersecurity officials and typically prompts broader patching efforts across both public and private sectors. Cybersecurity professionals frequently monitor the KEV catalog because vulnerabilities added to the list are often targeted aggressively by ransomware groups and nation‑state operators.
Organizations Urged to Patch Immediately
Palo Alto Networks and third‑party researchers are strongly urging organizations to immediately install the latest PAN‑OS security updates. Security teams are also advised to audit GlobalProtect configurations for risky certificate‑reuse practices and disable authentication‑override cookies where possible. For those unable to patch immediately, temporary mitigations include: disabling authentication‑override functionality; using separate certificates for HTTPS services and authentication cookies; restricting VPN exposure through network segmentation; monitoring VPN authentication logs for anomalies; reviewing administrator account activity; and conducting threat hunts for unauthorized VPN sessions. Internet‑exposed VPN infrastructure is routinely scanned by attackers within minutes of vulnerability disclosures, so organizations should assume any vulnerable device exposed online will eventually be targeted.
Broader Concerns Over Enterprise Edge Security
The incident has reignited broader concerns about enterprise edge security and the increasing concentration of critical trust functions inside externally exposed appliances. Modern firewall and VPN platforms frequently combine authentication, certificate management, web services, remote access, and traffic inspection into a single device. While operationally convenient, security researchers argue that this architectural consolidation increases systemic risk: when edge appliances fail, they fail catastrophically, and a single bypass can expose the entire internal network. Attackers increasingly prioritize edge devices because they often operate outside traditional endpoint visibility and are patched less frequently than operating systems or desktop applications. Recent years have seen a surge in attacks targeting edge infrastructure, with VPN vulnerabilities repeatedly serving as the initial foothold for ransomware operations, espionage campaigns, and data‑theft incidents.
Rising Pressure on Security Teams
The Palo Alto incident also illustrates the mounting pressure faced by enterprise security teams struggling to respond to a relentless stream of critical vulnerabilities. Organizations must now manage increasingly compressed timelines between disclosure and active exploitation. According to multiple cybersecurity studies, the average “time‑to‑exploit” for public vulnerabilities has dropped dramatically over the past decade, with some flaws weaponized in less than 24 hours. Security leaders warn that defenders are increasingly operating in a reactive environment where patch management alone may no longer provide sufficient protection. As exploitation activity continues to expand, cybersecurity experts expect intensified scanning of internet‑facing PAN‑OS devices worldwide in the coming days. For organizations relying on GlobalProtect VPN systems, the window for preventative action may be rapidly closing.