The Palo Alto GlobalProtect VPN auth bypass flaw is now being exploited in attacks

Palo Alto Networks warns that hackers are now using the PAN-OS GlobalProtect bypass flaw, tracked as CVE-2026-0257, in attacks that attempt to breach corporate networks.

The company fixed the CVE-2026-0257 bug earlier this month, warning that it could be used to establish unauthorized VPN connections on a device.

“The GlobalProtect portal and Palo Alto Networks PAN-OS® software gateway allow an attacker to bypass security restrictions and establish an unauthorized VPN connection,” Palo Alto’s advisory reads.

The bug received a medium severity rating because it requires devices configured with authentication cookies enabled and a specific certificate configuration.

However, on Friday, Palo Alto Networks updated the advisory to warn that the flaw was now being used increasingly in attacks against unpublished devices, raising the severity level to High.

“Palo Alto Networks is aware of limited exploit attempts on PAN-OS devices that are not installed without limiting usage,” the update reads.

The update comes after Rapid7 warned that it had seen the bug being exploited in many customers since May 17.

“Rapid7 MDR has identified successful exploits for multiple customers, however we have not seen any indication of successful collective movement on machines. The first date of the exploit was noticed was May 17, 2026,” Rapid7 explained.

“As of May 29, 2026, this risk has been added to the CISA KEV.”

According to Rapid7, the attack began with hackers authenticating to GlobalProtect gateways using forged authentication cookies targeting a domain administrator account.

The company first noticed the exploit on May 18 on infrastructure managed by Vultr, with a second attack discovered on May 21 from Dromatics Systems.

In some cases, attackers were able to connect to a device via a VPN using fake cookies, giving them access to internal networks. However, Rapid7 says that in most cases, even if the machine accepted the fake cookie, it could not establish a full VPN session.

Rapid7’s investigation of affected customers found that the affected devices had GlobalProtect authentication cookies enabled and modified in a way that allowed attackers to create valid authentication cookies.

The researchers say the flaw stems from PAN-OS’s validation of authentication cookies.

The GlobalProtect VPN device decrypts these types of cookies using the default private key and trusts the decrypted content without performing any signature verification.

If the same certificate is reused for both HTTPS services and authentication cookies, attackers can obtain the corresponding public key through an HTTPS session and use it to create fake cookies that the device will accept as legitimate.

Rapid7 has developed a proof-of-concept exploit that demonstrates how an attacker can retrieve public certificates presented by a GlobalProtect portal or gateway, generate a fake authentication cookie to deauthenticate a peer user, and authenticate without knowing valid credentials. Using this PoC, the researchers successfully validated the GlobalProtect gateway that is not installed.

Organizations using GlobalProtect VPN devices should promptly install the latest security updates to patch bugs.

Administrators can also mitigate the error by turning off the authentication feature or using a different certificate for this feature and not sharing it with other services on the device.

CISA has now added the flaw to its catalog of Known Exploitable Vulnerabilities, instructing government agencies to mitigate the flaw by June 1, 2026.