Palo Alto GlobalProtect VPN Auth Bypass Flaw Actively Exploited, CISA Orders Federal Agencies to Patch by June 1

Palo Alto Networks confirmed Friday that attackers are actively exploiting a previously disclosed authentication bypass vulnerability in its PAN-OS GlobalProtect VPN software, tracked as CVE-2026-0257, in campaigns targeting unpatched corporate network devices.

The company had patched the flaw earlier this month, initially rating it Medium severity because exploitation required devices to be configured with authentication override cookies enabled alongside a specific certificate setup. After evidence of active exploitation emerged, Palo Alto raised the severity rating to High.

"Palo Alto Networks has become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied," the company said in an updated advisory.

The escalation follows a warning from managed detection and response firm Rapid7, which observed successful exploitation across multiple customers beginning as early as May 17, 2026.

"Rapid7 MDR identified successful exploitation across numerous customers, however we did not observe any indication of successful lateral movement from the devices. The earliest date for observed exploitation was May 17, 2026," Rapid7 said in its disclosure.

According to Rapid7, attackers began by authenticating to GlobalProtect gateways using forged authentication override cookies targeting the local administrator account. The first wave of attacks, detected May 18, originated from infrastructure hosted by Vultr. A second wave followed on May 21, this time traced to infrastructure associated with Dromatics Systems.

In some incidents, attackers successfully connected to target devices via VPN using the forged cookies, gaining access to internal networks. In other cases, the appliance accepted the forged cookie but attackers were unable to establish a full VPN session.

The flaw's root cause lies in how PAN-OS handles authentication override cookies. A GlobalProtect device decrypts these cookies using a configured private key and then trusts the decrypted contents without performing any signature verification. When the same certificate is reused for both HTTPS services and authentication override cookies, an attacker can retrieve the public key via an HTTPS session and use it to craft cookies that the device accepts as legitimate.

Rapid7 developed a proof-of-concept exploit demonstrating how an attacker can retrieve public certificates from a GlobalProtect portal or gateway, generate a forged authentication override cookie for an arbitrary user, and authenticate without valid credentials.

As of May 29, 2026, the Cybersecurity and Infrastructure Security Agency added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog, ordering federal agencies to apply mitigations by June 1, 2026.

Organizations running GlobalProtect VPN devices are advised to install the latest available security updates immediately. Administrators unable to patch right away can reduce exposure by disabling the authentication override feature entirely or by assigning a dedicated certificate to that feature rather than sharing it with other services on the device.

The active exploitation of CVE-2026-0257 arrives amid a broader period of heightened activity targeting network perimeter devices, reinforcing longstanding guidance from security agencies that internet-facing appliances should be patched on an accelerated schedule — particularly once proof-of-concept code or active campaigns have been publicly confirmed.

Disclaimer