PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation

Ravie LakshmananMay 30, 2026Vulnerability / Network Security

Palo Alto Networks has warned that a recently disclosed medium-severity security flaw impacting PAN-OS and Prisma Access has come under active exploitation in the wild.

The vulnerability, tracked as CVE-2026-0257 (CVSS score: 7.8), refers to a case of authentication bypass that could be exploited by bad actors to set up VPN connections.

“Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allow the attacker to bypass security restrictions and establish an unauthorized VPN connection,” Palo Alto Networks said in an advisory released on May 13, 2026.

The issue specifically affects firewalls with GlobalProtect portal or gateway configured when authentication override cookies are enabled and a specific certificate configuration exists, the network security company said.

In an update to its advisory on May 29, 2026, Palo Alto Networks said it has “become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied.

The development comes after Rapid7 revealed it identified successful exploitation across numerous customers, with the earliest efforts dating back to May 17, 2026, followed by a second wave on May 21. Both the exploitation sets are assessed to be the work of the same threat actor.

The activity observed in the second wave involved VPN IP assignment following the cookie authentication in two cases, granting the attacker access to the internal network. No follow-on activity in the customer environments where a VPN session was established, the cybersecurity vendor added.

“An authentication bypass in an edge facing enterprise VPN appliance can have significant impact to affected organizations,” Rapid7 said. “As such, organizations running affected appliances are urged to upgrade to a vendor supplied patch on an urgent basis.”

As temporary mitigations, it’s recommended to either disable the authentication override feature or generate a new certificate to use exclusively for the authentication override feature.

The exploitation of CVE-2026-0257 follows a report from Arctic Wolf about the continued weaponization of a critical, now-patched security flaw impacting FortiClient Endpoint Management Server (EMS) deployments (CVE-2026-35616, CVSS score: 9.1) to deliver credential-stealing malware called EKZ Infostealer.