A leading security vendor has warned customers that attackers are actively exploiting a high-severity CVE in one of its products that it patched last month.
CVE-2026-0257 is an authentication bypass vulnerability in the GlobalProtect portal and gateway of Palo Alto Networks’ PAN-OS software.
As the name suggests, it could enable an attacker to bypass security restrictions and establish an unauthorized VPN connection.
The bug has a CVSS score of 7.8. Although the update was published on May 13, Palo Alto said on Friday that it had “become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied.”
Read more on Palo Alto Networks: Hackers Chain Exploits of Three Palo Alto Networks Firewall Flaws.
The vulnerability had been given a medium-severity rating. That’s because it only affected firewalls with the GlobalProtect portal or gateway configured “when authentication override cookies are enabled and a specific certificate configuration exists.”
However, this was raised to “high” following multiple exploitation attempts over recent days.
A Critical Update
Rapid7 urged organizations to treat the vulnerability as “critical,” saying it had been exploited in two waves, likely by the same actor, starting May 18 and 21.
It warned that an authentication bypass on an edge-facing VPN appliance could have a major impact on enterprise customers.
“Rapid7 observed VPN IP assignment following the cookie authentication, granting them access to the internal network. At this time, Rapid7 is unable to confirm why VPN assignment occurred only for a subset of exploited customers,” the firm continued.
“Across multiple customers, Rapid7 observed successful exploitation via authentication probes using forged cookies, but the appliance accepted the cookie without a full VPN session being established in 8 out of 10 impacted MDR customers.”
GlobalProtect VPN users are urged to patch immediately. If they can’t, Palo Alto Networks listed two possible mitigations:
- Disable authentication override in the GlobalProtect portal and gateway configuration
- Generate a new certificate exclusively for authentication override cookies. Store it securely, and don’t reuse or share it with other users
The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) Catalog, requiring federal civilian agencies to patch it by June 1.
