Palo Alto Networks is warning that hackers are now exploiting a PAN-OS GlobalProtect authentication bypass flaw, tracked as CVE-2026-0257, in attacks attempting to breach corporate networks.
The company fixed the CVE-2026-0257 flaw earlier this month, warning that it could be used to establish unauthorized VPN connections on the device.
“GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection,” reads Palo Alto’s advisory.
The flaw received a Medium severity rating because it requires devices to be configured with authentication override cookies enabled and a specific certificate configuration.
However, on Friday, Palo Alto Networks updated the advisory to warn that the flaw was now being actively exploited in attacks against unpatched devices, raising the severity rating to High.
“Palo Alto Networks has become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied,” reads the update.
This update comes after Rapid7 warned that it had observed the flaw being exploited against numerous customers starting on May 17.
“Rapid7 MDR identified successful exploitation across numerous customers, however we did not observe any indication of successful lateral movement from the devices. The earliest date for observed exploitation was May 17, 2026,” explains Rapid7.
“As of May 29, 2026, this vulnerability has been added to the CISA KEV.”
According to Rapid7, the attacks began with hackers authenticating to GlobalProtect gateways using forged authentication override cookies that targeted the local administrator account.
The company first observed exploitation on May 18 from infrastructure hosted by Vultr, with a second wave of attacks detected on May 21 originating from Dromatics Systems.
In some cases, attackers were able to connect to the device via VPN using forged cookies, granting them access to internal networks. However, Rapid7 says that in many incidents, even though the appliance accepted the forged cookie, they were unable to establish a full VPN session.
Rapid7’s investigation into affected customers found that the impacted devices had GlobalProtect authentication override cookies enabled and were configured in a way that allowed attackers to forge valid authentication cookies.
The researchers say the flaw stems from PAN-OS’s validation of authentication override cookies.
A GlobalProtect VPN device decrypts these types of cookies using a configured private key and then trusts the decrypted contents without performing any signature verification.
If the same certificate is reused for both HTTPS services and authentication override cookies, attackers can obtain the corresponding public key via the HTTPS session and then use it to create forged cookies that the device will accept as legitimate.
Rapid7 developed a proof-of-concept exploit that demonstrates how an attacker can retrieve the public certificates exposed by a GlobalProtect portal or gateway, generate a forged authentication override cookie for an arbitrary user, and authenticate without knowing valid credentials. Using this PoC, the researchers successfully authenticated to an unpatched GlobalProtect gateway.
Organizations using GlobalProtect VPN devices should immediately install the latest security updates to patch the flaws.
Admins can also mitigate the flaw by turning off the authentication override feature or utilizing a different certificate for this feature and not sharing it with other services on the device.
CISA has now added the flaw to its Known Exploited Vulnerability catalog, ordering federal agencies to mitigate the flaw by June 1, 2026.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.
