Palo Alto Networks has disclosed an authentication bypass vulnerability in PAN-OS GlobalProtect, tracked as CVE-2026-0257, carrying a CVSS score of 9.1. The vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog and is now confirmed to be actively exploited in the wild — Rapid7 MDR has observed successful exploitation targeting numerous customers since May 17, 2026. The CISA-mandated remediation deadline of June 1, 2026 is tomorrow — organisations still running unpatched PAN-OS devices with exposed GlobalProtect gateways are at immediate risk of unauthorised VPN access to their internal networks.
What Is the Vulnerability?
CVE-2026-0257 is an authentication bypass vulnerability in the GlobalProtect portal and gateway components of Palo Alto Networks PAN-OS software. The flaw allows an unauthenticated attacker to bypass security restrictions and establish an unauthorised VPN connection to the internal network by forging authentication override cookies. Rapid7 reports that attackers specifically targeted the local administrator account using forged cookies, gaining VPN-level network access without valid credentials.
The vulnerability is classified under CWE-287 (Improper Authentication) and carries a critical severity rating. Palo Alto Networks initially rated it Medium severity but has since raised the rating to High following confirmation of active exploitation:
- CVSS v3.1 Score: 9.1 (Critical)
- Attack Vector: Network (AV:N)
- Attack Complexity: Low (AC:L)
- Privileges Required: None (PR:N)
- User Interaction: None (UI:N)
- Impact: High on confidentiality and integrity, none on availability (C:H/I:H/A:N)
Which Versions Are Affected?
The vulnerability affects PAN-OS devices running GlobalProtect portal and gateway functionality with authentication override cookies enabled and a specific certificate configuration. Affected release branches include:
- PAN-OS 10.2.x: versions prior to 10.2.7-h32, 10.2.10-h31, and 10.2.13-h18
- PAN-OS 11.1.x: versions prior to 11.1.6-h29 and 11.1.14-h3
- PAN-OS 11.2.x: versions prior to 11.2.7-h13 and 11.2.11-h6
- PAN-OS 12.1.x: multiple versions affected
- Prisma Access deployments are also affected
Panorama management appliances and Cloud NGFW are not impacted. If your PAN-OS device runs GlobalProtect with authentication override cookies enabled, verify your version against the advisory immediately.
Is It Being Exploited in the Wild?
Yes — confirmed active exploitation. Rapid7 MDR identified successful exploitation across numerous customers with the earliest observed attack dating to May 17, 2026. Two distinct attack waves have been documented: the first wave began May 18 from infrastructure hosted by Vultr, and a second wave was detected May 21 originating from Dromatics Systems. In both campaigns, attackers used forged authentication override cookies that targeted the local administrator account, successfully authenticating to GlobalProtect gateways and establishing unauthorised VPN tunnels into corporate networks. While Rapid7 did not observe lateral movement from compromised devices, the attackers achieved network-level access equivalent to any authenticated VPN user — providing a foothold for further reconnaissance and attack staging. CISA added CVE-2026-0257 to the Known Exploited Vulnerabilities catalog on May 29, 2026, with a federal agency remediation deadline of June 1, 2026. Palo Alto Networks updated its advisory on May 30 to confirm exploitation and raised the severity from Medium to High.
What Is the Fix?
Palo Alto Networks has released patches across all affected PAN-OS branches. The official security advisory is available at:
https://security.paloaltonetworks.com/CVE-2026-0257
Organisations should upgrade to the appropriate fixed version for their PAN-OS release branch. If an immediate patch cannot be applied, Palo Alto Networks has documented mitigation steps in the advisory — including disabling authentication override cookies or applying certificate-based restrictions — that serve as an interim control. However, these mitigations are not a substitute for patching.
Recommendations
Patch immediately — do not wait until after the weekend. Active exploitation is confirmed, working exploit tooling exists, and attackers are actively scanning for and compromising unpatched GlobalProtect gateways. The CISA KEV deadline of June 1, 2026 is tomorrow. Organisations operating unpatched PAN-OS devices are non-compliant with Binding Operational Directive 22-01 for federal agencies and are taking on unacceptable risk regardless of sector.
Audit your PAN-OS inventory. Identify every PAN-OS device in your environment — including branch office firewalls, secondary gateways, and backup appliances — and verify the running version against the affected ranges. GlobalProtect gateways are often the single point of remote access for entire organisations, making them high-value targets for attackers.
Hunt for signs of compromise. Review GlobalProtect gateway logs for VPN sessions authenticated with override cookies, particularly those associated with the local administrator account. Look for connections originating from Vultr IP ranges or Dromatics Systems infrastructure. Rapid7 has published specific indicators of compromise that can be used to search your environment. Any session established via authentication override cookie without a corresponding legitimate administrative action should be treated as a potential intrusion.
Verify that authentication override cookies are necessary. If your deployment does not require authentication override cookies for legitimate operational reasons, disable this feature entirely — it eliminates the attack surface for this vulnerability. If override cookies are required, ensure they are restricted to the minimum necessary certificate configuration.
References
- Palo Alto Networks Security Advisory — CVE-2026-0257
- NVD: CVE-2026-0257
- CISA Known Exploited Vulnerabilities Catalog
- Vulnerability Intelligence Report — May 31, 2026
This advisory was first covered in the broader Vulnerability Intelligence Report — May 31, 2026 and was initially reported in the May 30, 2026 report. For a comprehensive view of all active threats and newly disclosed vulnerabilities, refer to the full reports.
