Palo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks
palo alto networksglobalprotect vpnpan-oscve-2026-0257rapid7cisacybersecurityvpn securityvulnerabilityauthentication bypassexploitnetwork security

Palo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks

By Daniel MarshMay 30, 2026

The Palo Alto GlobalProtect VPN Bypass: What Happens When a "Medium" Flaw Gets Weaponized

It's frustrating to see a vulnerability initially downplayed, only for it to become a critical, actively exploited threat just days later. That's exactly what happened with CVE-2026-0257, an authentication bypass flaw in Palo Alto Networks' PAN-OS GlobalProtect VPN. We're now seeing active exploitation, and it's a stark reminder that static vulnerability ratings often miss the real-world picture.

When this flaw first came out, it was rated "Medium." Then, on Friday, May 29, 2026, Palo Alto Networks raised the severity to High, giving it a CVSS score of 7.8. But by then, attackers had already been at it for nearly two weeks. Rapid7 observed exploitation infrastructure as early as May 18, and active attacks started on May 17. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to their Known Exploited Vulnerabilities (KEV) catalog on May 29, the same day the severity got bumped. That lag between observed exploitation and official warnings is a recurring pattern, and it's something we need to talk about.

A dimly lit server room with blinking LEDs, fog drifting through racks, cool blue ambient light with warm rim accents, shallow depth of field
Dimly lit server room with blinking LEDs, fog

How a Forged Cookie Gets You In

Here's what actually happened: CVE-2026-0257 lets attackers bypass authentication on GlobalProtect portal and gateway software. It's not some complex zero-day chain; it comes down to how PAN-OS validates authentication override cookies.

The core problem is that the device decrypts these cookies using a private key and then trusts the contents. It doesn't verify a signature. Think about that for a second. If you can decrypt something, and the system just assumes whatever you put inside is legitimate, you've got a problem.

The attack chain goes like this:

  1. Certificate Exposure: If an organization reuses the same certificate for both HTTPS services and authentication override cookies, an attacker can grab the public key from the HTTPS session. This isn't hard to do.
  2. Cookie Forgery: With that public key, an attacker can then craft their own authentication override cookies. They can make these cookies look like they came from a legitimate source, targeting local administrator accounts.
  3. Authentication Bypass: The unpatched GlobalProtect gateway accepts these forged cookies. Because there's no signature verification, the device just decrypts the cookie, sees the "local admin" claim, and lets the attacker in.

Rapid7 even developed a proof-of-concept that successfully pulled public certificates, generated forged cookies for arbitrary users, and authenticated to unpatched gateways without needing valid credentials. That's a clear path to network access.

The Real Impact: Internal Network Access

The practical impact of this flaw is significant. In some incidents, attackers established full VPN connections and then moved laterally into internal networks. That's a full confidentiality breach, giving them a foothold inside your perimeter.

Now, not every attempt led to a full VPN session. In many cases, the appliance accepted the forged cookie, but a complete session wasn't established. That's a small comfort, but it doesn't change the fact that the authentication bypass itself worked.

Who's at risk? Any organization running unpatched PAN-OS GlobalProtect portal and gateway software, especially if they have authentication override cookies enabled and are reusing certificates across services. This isn't a targeted attack on a specific industry; it aims at any system with this configuration.

The discussions I've seen on platforms like Reddit (r/SecOpsDaily, r/paloaltonetworks) reflect a lot of concern. People are frustrated that an initial "medium" rating didn't reflect the critical real-world impact. They're actively sharing details about the specific configurations that make this flaw exploitable, which tells you how quickly the community mobilizes when official warnings feel a step behind.

Close-up of a gloved hand holding a USB drive in a dark office, shallow depth of field, overhead fluorescent spill, blue and red light reflections
Close-up of a gloved hand holding a USB

What We Need to Do Now

Palo Alto Networks has released security updates, and installing them is the absolute top priority. CISA has given federal agencies until June 1, 2026, to mitigate this flaw, which tells you how seriously they're taking it.

If you can't patch immediately, you have a couple of alternative mitigations:

  • Turn off the authentication override feature. This removes the attack vector entirely.
  • Use a different certificate for the authentication override feature. Make sure it's not shared with other services on the device. This breaks the attacker's ability to get the public key needed for forgery.

This incident shows us, again, that we can't just rely on initial CVSS scores. A "medium" rating can quickly become a critical threat when the conditions for exploitation are common and the impact is direct network access. We need to move beyond static vulnerability ratings and adopt a more dynamic, threat-informed approach. When Rapid7 or other threat intelligence firms report active exploitation, that's your cue to act, regardless of the initial score. That's the non-negotiable part.

Daniel Marsh
Daniel Marsh
Former SOC analyst turned security writer. Methodical and evidence-driven, breaks down breaches and vulnerabilities with clarity, not drama.