Palo Alto Networks has issued a warning about ongoing attacks targeting CVE-2026-0257, a vulnerability in PAN-OS that enables attackers to bypass authentication controls and gain unauthorized access through VPN connections.
The flaw affects the GlobalProtect portal and gateway components of PAN-OS, allowing threat actors to establish VPN sessions without valid credentials. Palo Alto Networks released a fix for the issue on May 13, but within weeks, security researchers began observing exploitation activity in the wild. Rapid7 confirmed multiple incidents across customer environments, and by early June, CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, signaling active threat activity.
This vulnerability does not impact Panorama or Cloud NGFW deployments, but it poses a serious risk to exposed GlobalProtect configurations. At its core, the issue stems from an authentication bypass weakness that allows attackers to circumvent security checks and connect directly to internal networks.
In many cases, exploitation is tied to a specific configuration scenario. When organizations use the same certificate for both HTTPS services and authentication cookie encryption a common but insecure setup attackers can extract the public key from the HTTPS connection. With this key, they can generate forged authentication cookies for arbitrary users, including administrative accounts. These fake credentials are then accepted by the system without additional validation, effectively granting unauthorized access. Proof-of-concept code developed by Rapid7 demonstrates how quickly this attack can be carried out, often in just seconds.
Technical analysis shows that PAN-OS decrypts authentication cookies using a private key but does not perform signature verification afterward. As a result, once a malicious cookie is decrypted successfully, its contents are trusted without further checks, creating a critical security gap.
Rapid7 detected the first exploitation attempts on May 18, with activity traced back to infrastructure hosted by Vultr. Logs revealed attackers authenticating as local administrators using forged cookies, often identifying client systems with consistent markers such as specific hostnames and spoofed MAC addresses. A second wave of attacks followed on May 21, originating from a different hosting provider but showing similar tactics and indicators. Based on these similarities, researchers believe both waves were likely conducted by the same threat actor.
In some instances, attackers were able to fully establish VPN sessions, receiving internal IP addresses and gaining access to corporate networks. However, not all attempts resulted in complete VPN access, and researchers are still investigating why some systems were more susceptible than others.
The vulnerability appears to affect systems configured with two specific conditions: Cloud Authentication Service disabled and authentication override cookies enabled using a shared certificate. Organizations that meet these criteria are particularly at risk and should take immediate action.
To mitigate the issue, Palo Alto Networks recommends upgrading to a patched version of PAN-OS. As an interim measure, organizations can disable the authentication override feature or use a separate, dedicated certificate exclusively for cookie encryption. Rapid7 has also released tools to help organizations determine whether their systems are vulnerable.
Security teams are urged to review logs for indicators of compromise, including suspicious VPN logins, known malicious IP addresses, and anomalous client attributes such as unusual hostnames or mismatched system identifiers. Palo Alto further advises initiating incident response procedures if any signs of unauthorized access are detected.
Although the vulnerability was initially rated as medium severity due to its configuration requirements, many experts have challenged that assessment, noting that any flaw allowing unauthenticated access to an internet-facing VPN gateway should be treated as critical due to the potential for direct network compromise.
While no widespread post-exploitation activity has yet been confirmed, the ability to bypass authentication and gain internal access makes this vulnerability highly dangerous. Organizations are strongly advised to patch immediately, audit their configurations, and monitor for suspicious activity to prevent potential breaches.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
