Critical Vulnerability in PAN-OS GlobalProtect Under Active Exploitation
Palo Alto Networks has issued an urgent warning regarding a recently disclosed medium-severity security flaw,
CVE-2026-0257, which impacts its PAN-OS and Prisma Access platforms. This authentication bypass vulnerability, with a CVSS score of 7.8, is now under active exploitation in the wild, allowing malicious actors to establish unauthorized VPN connections.
Understanding the Threat: CVE-2026-0257
The flaw specifically targets the GlobalProtect portal and gateway components of Palo Alto Networks PAN-OS® software. According to an advisory released on May 13, 2026, by Palo Alto Networks, attackers can bypass security restrictions to forge unauthorized VPN access. This critical issue is particularly concerning for firewalls where the GlobalProtect portal or gateway is configured with authentication override cookies enabled and a specific certificate configuration is in place.
Evidence of Active Exploitation
The cybersecurity community has quickly moved from theoretical risk to confirmed attacks. On May 29, 2026, Palo Alto Networks updated its advisory, confirming “limited exploit attempts on unpatched PAN-OS devices without mitigations applied.” This follows a detailed report from Rapid7, which identified successful exploitation across multiple customer environments. Rapid7’s analysis pinpointed two distinct waves of attacks: the first on May 17, 2026, and a second, more significant wave on May 21, both attributed to the same threat actor.
The second wave of exploitation saw attackers successfully obtain VPN IP assignments after bypassing cookie authentication in at least two instances, granting them access to internal networks. While Rapid7 noted no immediate follow-on activity within these compromised environments, the potential for significant impact from an authentication bypass in an edge-facing enterprise VPN appliance cannot be overstated.
Immediate Action Required: Patching and Mitigations
Given the active exploitation, organizations running affected Palo Alto Networks appliances are strongly urged to apply vendor-supplied patches without delay. For those unable to patch immediately, Palo Alto Networks and Rapid7 recommend temporary mitigations:
- Disable the authentication override feature entirely.
- Generate and use a new, unique certificate exclusively for the authentication override feature.
A Broader Landscape of Threats
This incident underscores the persistent and evolving nature of cyber threats. The exploitation of CVE-2026-0257 comes on the heels of another critical report from Arctic Wolf, detailing the continued weaponization of a patched vulnerability in FortiClient Endpoint Management Server (EMS) deployments (CVE-2026-35616, CVSS score: 9.1). This FortiClient flaw has been exploited to deliver credential-stealing malware known as EKZ Infostealer, highlighting the continuous need for vigilance and prompt patching across all enterprise systems.
For more details, visit our website.
Source: Link
Leave a comment