Palo Alto GlobalProtect Auth Bypass CVE-2026-0257 Is Now Under Active Exploitation

An authentication bypass on an internet-facing VPN appliance is not just another CVE. It is a credential-free path through the perimeter of every organization that runs it, and CVE-2026-0257 is the latest one being walked through in production.

SANTA CLARA, CALIFORNIA — Palo Alto Networks confirmed on May 29, 2026 that CVE-2026-0257, an authentication-bypass vulnerability in the GlobalProtect portal and gateway of PAN-OS, is being actively exploited in the wild on unpatched firewalls. The vendor said in an update to its advisory that it has "become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied," and the security firm Rapid7 said it has observed successful exploitation across numerous customer environments, with the earliest attempts dating back to May 17, 2026. BleepingComputer and The Hacker News reported the active-exploitation update on May 30, 2026.

CVE-2026-0257 carries a CVSS v3.1 score of 7.8 and is rated medium severity. Palo Alto Networks first disclosed and patched the flaw on May 13, 2026; the May 29 update is the company's confirmation that exploitation in the wild had begun on unpatched instances during the two weeks following the patch.

What Happened

Palo Alto Networks first disclosed CVE-2026-0257 on May 13, 2026 as a pair of authentication-bypass vulnerabilities in the GlobalProtect portal and gateway of PAN-OS, the operating system that runs Palo Alto's firewall appliances. In the company's own words from the advisory, the flaws "allow the attacker to bypass security restrictions and establish an unauthorized VPN connection." The issue affects firewalls that have GlobalProtect portal or gateway configured, that have authentication-override cookies enabled, and that have a specific certificate configuration in which the certificate used to encrypt and decrypt the authentication-override cookie is shared with another feature such as the HTTPS service. On May 29, 2026, Palo Alto Networks updated the advisory to confirm it had "become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied."

Rapid7's own write-up published on May 29 said the firm had identified successful exploitation across numerous customer environments, with the earliest attempts dating to May 17, 2026 and a second wave on May 21. In two of the second-wave cases, Rapid7 said, the attacker's forged cookie was accepted by the GlobalProtect gateway and a VPN IP address was assigned — the gateway granted the attacker access to the internal network in the same way it would have granted access to a legitimate authenticated user. Rapid7 said both exploitation waves were assessed to be the work of the same threat actor and reported no follow-on hands-on activity in the environments where a VPN session was established. The mechanism is straightforward: because the decryption process performs no signature verification after decrypting the authentication-override cookie, any attacker who can retrieve the public key from the exposed HTTPS certificate can forge a valid cookie and present it to the gateway as proof of authentication.

What 'Authentication Bypass' Means on a VPN Appliance

The defining feature of CVE-2026-0257 — and what separates it from the long tail of medium-severity Palo Alto bulletins — is the place in the architecture where it lives. GlobalProtect is the VPN concentrator on a Palo Alto firewall, the public-facing service that decides who gets to set up a VPN session into the corporate network and who does not. The vulnerability is in the part of that service that is supposed to decide. An attacker exploiting CVE-2026-0257 does not steal a password, phish a user, or relay a session token; they ask the gateway to set up a VPN session, present a forged authentication-override cookie, and the gateway agrees. The login screen, the MFA prompt, the conditional-access policy in front of it — none of it gets evaluated, because from the gateway's perspective the request has already been authenticated. That is what an authentication bypass on an internet-facing VPN appliance actually is: a credential-free path through the perimeter, granted by the device whose entire job is to be the perimeter.

Why the 7.8 CVSS Score Understates the Operational Risk

CVE-2026-0257 carries a CVSS v3.1 score of 7.8, which puts it in the medium-severity band — the same band as many privilege-escalation flaws that require local access, valid credentials, or a victim's interaction. On a triage dashboard, a 7.8 sits below the line that automatically triggers a same-day emergency patch in many organizations. That is the operational risk hiding inside this CVE. The score reflects the preconditions — specific configuration combinations that not every Palo Alto customer runs — but it does not reflect what happens when those preconditions are present. When the affected device is an internet-facing VPN gateway, and the exploit produces a fully authorized VPN session with no credentials, the impact is not medium in any operational sense. It is the same impact pattern The CyberSignal documented when Verizon's 2026 DBIR found that vulnerability exploitation had just overtaken credential theft as the number-one initial-access method — operators are increasingly bypassing the password layer entirely by attacking the appliance that enforces it. A medium-severity CVE on a perimeter VPN appliance can produce the same intrusion outcome as a high- or critical-severity CVE on an interior service, and organizations triaging this purely by score will under-prioritize it.

A Pattern Across Perimeter VPN Vendors

CVE-2026-0257 lands in the same week as Arctic Wolf's disclosure that unpatched FortiClient EMS servers are still being exploited via CVE-2026-35616 to push the EKZ credential stealer down the management channel — and inside a longer 2026 pattern of perimeter-edge VPN and remote-access flaws being weaponized fast. The CyberSignal previously covered the PAN-OS zero-day CVE-2026-0300, which Palo Alto patched on April 9 after observing exploitation in May, and the federal-deadline cycle around perimeter appliances — which The CyberSignal examined in detail when CISA added the cPanel CVE-2026-41940 flaw to its Known Exploited Vulnerabilities catalog with a hard patch mandate — has become the clearest public clock on how fast these vulnerabilities are being weaponized. The throughline is consistent across Palo Alto, Fortinet, Ivanti, and Cisco: the public-facing remote-access appliance is the single most efficient initial-access target in the contemporary attacker economy, and the time from advisory to in-the-wild exploitation is now measured in days, not weeks.

Scope and Impact

The exposure boundary for CVE-2026-0257 is narrower than for a flat-vulnerability-everywhere CVE. Palo Alto Networks said the issue specifically affects firewalls with GlobalProtect portal or gateway configured when authentication-override cookies are enabled and when a specific certificate configuration is present — the certificate used to encrypt the authentication-override cookie is shared with another feature, such as the HTTPS service. Palo Alto noted that Panorama and Cloud NGFW are not impacted. The narrower scope does not, however, make the exposed population small in absolute terms: GlobalProtect is one of the most widely deployed enterprise VPN platforms, the authentication-override feature is in routine use in production deployments, and a firewall with the affected configuration is by definition internet-facing because it is terminating remote-access sessions.

Several specifics remain unresolved as of publication. Palo Alto Networks has not attributed the observed exploitation to a named threat actor. Rapid7 said both exploitation waves are assessed to be the work of the same actor, but has not named that actor and has not published a victim count or a comprehensive list of affected industries. The reporting documents that VPN sessions have been established in customer environments, but Rapid7 explicitly noted that no follow-on hands-on activity was observed in the environments where a session was set up — meaning the operator established a foothold and, in the observed cases, did not proceed further during Rapid7's visibility window. Whether the actor returns to those environments, and whether other operators have begun exploiting CVE-2026-0257 independently, is not yet established. Industry coverage indicates CISA has moved to add CVE-2026-0257 to its Known Exploited Vulnerabilities catalog with a federal patch deadline; defenders should verify the exact KEV status and any binding federal deadline against CISA's catalog directly before relying on those specifics in a remediation plan. This piece does not assume a KEV status beyond what is independently verified. The pattern around it, however, is unambiguous: unpatched, high-impact code in widely deployed perimeter infrastructure remains the most reliable initial-access surface in 2026.

Response and Attribution

For any organization running PAN-OS GlobalProtect, the action is immediate. Patch every internet-facing GlobalProtect portal or gateway within 24 hours; patch the rest of the affected fleet within 72. Palo Alto Networks has published fixed PAN-OS versions in the advisory; verify the running version against the fixed release for the deployed train and upgrade accordingly. For instances that cannot be patched on that timeline, apply the interim mitigations Palo Alto Networks has documented — either disable the authentication-override feature, or generate and use a new certificate exclusively for the authentication-override feature so that the certificate is no longer shared with another service such as HTTPS. Where feasible, restrict GlobalProtect access to a known-source IP allowlist as a temporary compensating control until the patch is in place.

For SOC and threat-hunting teams, the practical hunts are well-defined. Audit GlobalProtect VPN session logs for the past 30 days and surface any session that was established without a corresponding authentication event preceding it — the signature of a forged-cookie session is the absence of a login. Pivot on any session where a VPN IP was assigned to an unfamiliar source IP, and review internal traffic from any VPN IP that was issued during the exposure window for east-west activity that does not match a legitimate user's behavior. Pull GlobalProtect portal and gateway configurations and confirm whether the affected combination — authentication-override cookies enabled and a certificate shared with another service — was present at any point in the last 60 days; if so, treat any session-establishment event from that window as suspect until proven legitimate. Treat any firewall on which an unauthenticated VPN session was established as a perimeter-tier incident: the attacker is on the inside of the network the firewall protects.

For CISOs, CVE-2026-0257 is another data point in the pattern The CyberSignal has tracked across 2026: the perimeter-edge VPN and remote-access appliance is the most efficient initial-access target in the current attacker economy. The FortiClient EMS exploitation Arctic Wolf documented this week and the earlier PAN-OS zero-day CVE-2026-0300 are the same shape of incident. The structural conclusion is that perimeter VPN appliances need a patch service-level objective tighter than the rest of the security stack — a 24-to-72-hour SLO for any vendor advisory rated medium or higher, not the standard 30-day enterprise patch cycle. Phishing-resistant MFA in front of the VPN is the broader pattern this campaign reinforces; an authentication bypass on the appliance itself defeats password-and-OTP MFA but is a much harder mark against a hardware-key flow. Palo Alto Networks has not attributed the observed exploitation to a named threat actor.

The CyberSignal Analysis

Signal 01 — The Perimeter VPN Is the 2026 Initial-Access Channel

CVE-2026-0257 is not a standalone vulnerability story; it is a data point in a pattern that has now repeated across every major enterprise VPN vendor in 2026. Palo Alto GlobalProtect this week. FortiClient EMS the day before. PAN-OS CVE-2026-0300 in April. Ivanti, Cisco, and earlier Fortinet bulletins through the first quarter. The throughline is not vendor-specific and it is not a coincidence: the public-facing remote-access appliance is, structurally, the highest-value initial-access target in a modern enterprise. It is internet-reachable by design, it terminates trusted sessions into the interior network, and it is operated by network engineering teams whose patch cadences are governed by uptime concerns rather than by security urgency. Attackers have learned that math, and they are working it. The defensive implication is operational, not philosophical: perimeter VPN appliances need a separate, faster patch SLO than the rest of the security estate, because that is where the breach is starting.

Signal 02 — A 7.8 on a Perimeter Appliance Is Not a Medium-Severity Problem

The CVSS v3.1 score for CVE-2026-0257 is 7.8, which lands it in the medium-severity band on most triage dashboards and below the threshold that automatically triggers an emergency patch in many organizations. That score is technically defensible — it reflects the configuration preconditions and the limits of the scoring framework — and it is also operationally misleading in a way that will cost organizations. CVSS measures the difficulty of reaching the vulnerability, not the consequences of using it. When the affected device is an internet-facing VPN gateway and the exploit produces a fully authorized VPN session on the corporate network with no credentials, the consequences are not medium. They are initial access. The lesson generalizes well beyond this CVE: for any vulnerability in a perimeter appliance, the operational risk floor is much higher than the CVSS score implies, and organizations that triage perimeter advisories by score alone will systematically under-prioritize the flaws that produce the most catastrophic outcomes.

Signal 03 — Authentication Bypass Defeats Password MFA. Phishing-Resistant MFA Is the Bar.

CVE-2026-0257 illustrates, in production, what defensive architects have argued in principle for years: an authentication bypass on the appliance that performs authentication makes every login control upstream of that appliance irrelevant. The attacker is not stealing a password. They are not phishing an OTP. They are not relaying a push notification. They are presenting a forged cookie to a gateway that does not verify it, and the gateway sets up the VPN session as if a legitimate user had completed the entire login flow. Password-and-OTP MFA, which is the dominant remote-access posture in the contemporary enterprise, does not defend against this attack pattern, because the MFA prompt is never invoked. Phishing-resistant MFA — hardware security keys, platform authenticators bound to the device, FIDO2 WebAuthn flows — is a structurally different proposition: the proof of authentication is cryptographic, bound to the user's hardware, and harder to forge in the appliance's decryption pipeline. The campaign exploiting CVE-2026-0257 is the latest argument that phishing-resistant MFA is not a security upgrade; it is the new floor for remote access.

Sources