Palo Alto Networks PAN-OS Vulnerability (CVE-2026-0257) Under Active Exploitation

Actively Exploited PAN-OS Flaw (CVE-2026-0257) Allows VPN Hijack, CISA Adds to KEV

CRITICAL
May 30, 2026
June 1, 2026
m read
VulnerabilityPatch ManagementSecurity Operations

Related Entities(initial)

Organizations

Cybersecurity and Infrastructure Security Agency (CISA)Palo Alto NetworksRapid7

Products & Tech

GlobalProtectPAN-OSPrisma Access

CVE Identifiers

CVE-2026-0257
MEDIUM
CVSS:7.8
CVEDetails.com CVE.org

MITRE ATT&CK Techniques

T1133Initial Access

External Remote Services

T1190Initial Access

Exploit Public-Facing Application

T1556.006Credential Access

Web Session Cookie

Full Report(when first published)

Executive Summary

Palo Alto Networks has issued an urgent warning that a medium-severity authentication bypass vulnerability, CVE-2026-0257, is under active exploitation. The flaw resides in the PAN-OS software that powers the company's firewalls and affects the GlobalProtect portal and gateway features. Successful exploitation allows an attacker to forge authentication cookies and establish an unauthorized VPN session, bypassing all authentication controls. Security firm Rapid7 has confirmed observing exploitation attempts, and in response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog. Organizations are strongly advised to apply patches immediately or implement the recommended mitigations.

Vulnerability Details

CVE-2026-0257 is an authentication bypass vulnerability with a CVSS v3.1 score of 7.8. The flaw arises from a specific misconfiguration where the "authentication override" feature is enabled on the GlobalProtect portal or gateway, and the certificate used to encrypt and decrypt the authentication override cookies is also used for another function (e.g., the portal's main HTTPS service).

In this scenario, an attacker can potentially access the public key of the certificate. By obtaining the public key, the attacker can then forge a valid authentication cookie, present it to the GlobalProtect interface, and gain access as if they were a legitimate, authenticated user. This allows them to establish a VPN connection and gain access to the internal network protected by the firewall.

Affected Systems

The vulnerability affects specific versions of PAN-OS when the following conditions are met:

  1. A GlobalProtect portal or gateway is configured.
  2. The authentication override feature is enabled with an authentication override cookie.
  3. The certificate used for the authentication override feature is also used for another purpose on the firewall.

Organizations using Palo Alto Networks firewalls with GlobalProtect VPN are urged to review their configurations to determine if they are vulnerable.

Exploitation Status

The vulnerability is being actively exploited in the wild. Palo Alto Networks confirmed awareness of limited exploit attempts on May 29, 2026. Security firm Rapid7 reported observing successful exploitation against multiple customers, with two distinct waves of activity on May 17 and May 21, 2026. Due to this confirmed exploitation, CISA added the vulnerability to its KEV catalog on May 29, 2026, requiring U.S. federal civilian agencies to patch by a specified deadline.

Impact Assessment

Successful exploitation of CVE-2026-0257 grants an attacker unauthorized access to a victim's internal network via the VPN. This effectively bypasses a critical layer of perimeter defense. Once inside the network, the attacker can conduct reconnaissance, move laterally to other systems, and attempt to exfiltrate data or deploy further malware, such as ransomware. For organizations that rely on GlobalProtect for remote access, this vulnerability represents a critical breach of their security posture, as it turns a primary defense mechanism into an open door for intruders.

Cyber Observables — Hunting Hints

The following patterns may help identify vulnerable or compromised systems:

Type
log_source
Value
Palo Alto Networks Firewall Logs
Description
Look for successful GlobalProtect authentications from unknown or suspicious IP addresses, especially if they correlate with the exploitation timeline (May 17 onwards).
Type
network_traffic_pattern
Value
(Internal Network)
Description
Monitor for anomalous internal network activity (e.g., network scans, access to sensitive shares) originating from the IP pool assigned to GlobalProtect users.
Type
api_endpoint
Value
/global-protect/portal/css/login.css
Description
Attackers may probe for the vulnerability by making requests to various GlobalProtect endpoints. A spike in requests to portal assets from a single IP could be a sign of reconnaissance.

Detection Methods

  1. Vulnerability Scanning: Use vulnerability scanners with updated plugins to identify firewalls running a vulnerable version of PAN-OS with the specific at-risk configuration.
  2. Log Analysis (D3-NTA): Analyze firewall and VPN logs for anomalies. Key indicators include:
    • Successful VPN connections from unexpected geographic locations or IP ranges.
    • Multiple failed authentication attempts followed by a sudden success from the same IP.
    • A user account showing concurrent VPN sessions from geographically dispersed locations.
  3. Configuration Audit: Programmatically or manually audit your Palo Alto Networks firewall configurations. Specifically, check if the certificate assigned under Device > GlobalProtect > Portals/Gateways > Agent > Agent Configs > App is the same as the one used for another service.

Remediation Steps

Palo Alto Networks has released patched versions of PAN-OS and strongly urges all affected customers to upgrade immediately.

Immediate Mitigation (if patching is not possible): If you cannot upgrade immediately, you can mitigate the vulnerability by breaking the precondition for the attack. Choose one of the following:

  1. Disable Authentication Override: In the firewall configuration, disable the authentication override feature for the GlobalProtect portal and gateway. OR
  2. Use a Dedicated Certificate: Configure a new, unique, self-signed certificate that is used only for the authentication override feature and for no other purpose on the firewall. This prevents the attacker from being able to obtain the public key needed to forge the cookie.

Verification: After applying the patch or mitigation, verify that the GlobalProtect portal is functioning as expected for legitimate users and that the configuration no longer uses a shared certificate for the override feature.

Timeline of Events

1
May 13, 2026
Palo Alto Networks first releases the security advisory for CVE-2026-0257.
2
May 17, 2026
Rapid7 observes the first wave of exploitation attempts in the wild.
3
May 21, 2026
Rapid7 observes a second wave of exploitation attempts.
4
May 29, 2026
Palo Alto Networks updates its advisory to confirm active exploitation, and CISA adds CVE-2026-0257 to its KEV catalog.
5
May 30, 2026
This article was published

Article Updates

June 1, 2026

CISA sets June 1 deadline for federal agencies to patch CVE-2026-0257; Prisma Access also affected. Rapid7 observed no post-exploitation lateral movement.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has set a mandatory patching deadline of June 1, 2026, for federal agencies to address the actively exploited CVE-2026-0257. This update reinforces the urgency of remediation for the authentication bypass flaw in Palo Alto Networks' PAN-OS GlobalProtect. Additionally, the vulnerability has been confirmed to affect Prisma Access. Security firm Rapid7, which observed initial exploitation waves, reported that while attackers successfully bypassed authentication, they did not observe any subsequent post-exploitation lateral movement within compromised networks. This provides a clearer picture of the immediate impact of observed attacks, though the potential for full compromise remains high if not patched.

Update Sources:
helpnetsecurity.comHackers are exploiting Palo Alto GlobalProtect VPN authentication bypass (CVE-2026-0257)
darkreading.comPatch Now: Another Palo Alto Auth Bypass Bug Under Active Exploit
rapid7.comRapid7 Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257)

June 1, 2026

Severity increased

Severity of CVE-2026-0257 increased to critical (CVSS 9.1); Prisma Access now confirmed affected alongside PAN-OS.

The critical authentication bypass vulnerability, CVE-2026-0257, in Palo Alto Networks' GlobalProtect VPN has been re-evaluated, with its CVSS score increasing from 7.8 to 9.1, elevating its severity to critical. Additionally, Prisma Access products are now explicitly confirmed to be affected, expanding the scope of vulnerable systems beyond just PAN-OS. The vulnerability remains under active exploitation, and CISA added it to its KEV catalog on May 31, 2026, underscoring the urgent need for patching or mitigation.

Timeline of Events

1
May 13, 2026

Palo Alto Networks first releases the security advisory for CVE-2026-0257.

2
May 17, 2026

Rapid7 observes the first wave of exploitation attempts in the wild.

3
May 21, 2026

Rapid7 observes a second wave of exploitation attempts.

4
May 29, 2026

Palo Alto Networks updates its advisory to confirm active exploitation, and CISA adds CVE-2026-0257 to its KEV catalog.

Sources & References(when first published)

PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation
vertexaisearch.cloud.google.comMay 30, 2026
PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation
vertexaisearch.cloud.google.comMay 30, 2026
PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation : r/SecOpsDaily
vertexaisearch.cloud.google.comMay 30, 2026
Rapid7 Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257)
vertexaisearch.cloud.google.comMay 29, 2026
CVE-2026-0257 PAN-OS: GlobalProtect Authentication Bypass Vulnerabilities
vertexaisearch.cloud.google.comMay 13, 2026
CISA Adds PAN-OS GlobalProtect CVE-2026-0257 to KEV—Patch by Deadline
vertexaisearch.cloud.google.comMay 29, 2026
CVE-2026-0257: PAN-OS GlobalProtect Auth Bypass Flaw - SentinelOne
vertexaisearch.cloud.google.comMay 14, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

CISACVEGlobalProtectKEVPAN-OSPalo Alto NetworksVPNvulnerability

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.