Cybersecurity

PAN-OS GlobalProtect Bypass Under Active Exploitation

By Sentinel News Editorial Team

May 30, 2026 Source: Thehackernews 11 views

Palo Alto Networks has confirmed active exploitation of a recently disclosed security vulnerability, CVE-2026-0257, impacting its PAN-OS and Prisma Access platforms. This medium-severity flaw allows for authentication bypass, enabling unauthorized establishment of VPN connections through GlobalProtect portals and gateways. The issue specifically targets configurations where authentication override cookies are enabled alongside certain certificate setups, presenting a direct threat to network perimeters. This incident underscores the persistent strategic targeting of edge-facing network appliances by sophisticated adversaries. Such devices, often critical for remote access and organizational connectivity, represent high-value entry points for actors seeking to penetrate sensitive enterprise and government networks globally.

A recently identified authentication bypass flaw, CVE-2026-0257, in Palo Alto Networks PAN-OS is confirmed to be under active exploitation.
The vulnerability allows attackers to establish unauthorized VPN sessions via GlobalProtect portals and gateways on misconfigured systems.
Initial waves of exploitation efforts targeting vulnerable devices were identified from mid-May, potentially linked to a single threat actor.
In several cases, attackers successfully obtained VPN IP assignments, gaining access to internal networks following the bypass.
Organizations are advised to implement immediate mitigations, including disabling authentication override or deploying new, dedicated certificates.

Intelligence briefing: Why this matters: This active exploitation of a perimeter-facing authentication bypass fundamentally compromises the trusted network boundary, offering adversaries a direct conduit into internal environments. Such unauthorized VPN access can serve as an initial foothold for lateral movement, data exfiltration, or establishing persistent command and control, necessitating an urgent defensive posture from all potentially affected organizations, including critical infrastructure and military networks.

Palo Alto Networks has warned that a recently disclosed medium-severity security flaw impacting PAN-OS and Prisma Access has come under active exploitation in the wild.

The vulnerability, tracked as CVE-2026-0257 (CVSS score: 7.8), refers to a case of authentication bypass that could be exploited by bad actors to set up VPN connections.

"Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allow the attacker to bypass security restrictions and establish an unauthorized VPN connection," Palo Alto Networks said in an advisory released on May 13, 2026.

The issue specifically affects firewalls with GlobalProtect portal or gateway configured when authentication override cookies are enabled and a specific certificate configuration exists, the network security company said.

In an update to its advisory on May 29, 2026, Palo Alto Networks said it has "become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied.

The development comes after Rapid7 revealed it identified successful exploitation across numerous customers, with the earliest efforts dating back to May 17, 2026, followed by a second wave on May 21. Both the exploitation sets are assessed to be the work of the same threat actor.

The activity observed in the second wave involved VPN IP assignment following the cookie authentication in two cases, granting the attacker access to the internal network. No follow-on activity in the customer environments where a VPN session was established, the cybersecurity vendor added.

"An authentication bypass in an edge facing enterprise VPN appliance can have significant impact to affected organizations," Rapid7 said. "As such, organizations running affected appliances are urged to upgrade to a vendor supplied patch on an urgent basis."

As temporary mitigations, it's recommended to either disable the authentication override feature or generate a new certificate to use exclusively for the authentication override feature.

The exploitation of CVE-2026-0257 follows a report from Arctic Wolf about the continued weaponization of a critical, now-patched security flaw impacting FortiClient Endpoint Management Server (EMS) deployments (CVE-2026-35616, CVSS score: 9.1) to deliver credential-stealing malware called EKZ Infostealer.

Analysis

The active exploitation of CVE-2026-0257 represents a significant operational challenge for cybersecurity defenders, turning a 'medium' severity rating into an immediate critical threat. The mechanism of an authentication bypass directly undermines trust boundaries, allowing an attacker to establish a VPN session that effectively grants them a legitimate-looking presence on the internal network. This capability dramatically lowers the barrier for sophisticated threat actors, who can then leverage this access for reconnaissance, privilege escalation, or deploying further payloads, potentially unnoticed by traditional perimeter defenses. Organizations relying on GlobalProtect with specific configurations, particularly those using authentication override cookies, are directly in the adversary's crosshairs. This event is not isolated but fits within a broader trend of nation-state and sophisticated criminal groups persistently targeting VPNs and edge devices. Similar vulnerabilities in platforms from Fortinet, Ivanti, and others have historically led to severe breaches, highlighting these devices as critical chokepoints for network access. The continuous weaponization of such flaws underscores the necessity for rigorous patch management, robust configuration auditing, and defense-in-depth strategies that assume perimeter compromise, rather than relying solely on it for security.

cybersecurityvulnerabilitypan-osglobalprotectvpnexploitationnetwork security

📰 Primary Source: Thehackernews