PAN-OS GlobalProtect auth bypass under active exploitation as CISA adds CVE-2026-0257 to KEV
Exploitation of CVE-2026-0257, an authentication bypass in Palo Alto Networks' PAN-OS GlobalProtect VPN, moved to the top of defenders' weekend queue on May 30 after CISA added the flaw to its Known Exploited Vulnerabili.
At a glance
- CISA added CVE-2026-0257 to the KEV catalog on May 29, with news breaking overnight into May 30
- The flaw lets remote unauthenticated attackers forge GlobalProtect authentication-override cookies and establish unauthorized VPN connections
- Rapid7 observed earliest exploitation on May 17 from Vultr-hosted IPs and a second wave on May 21 attributed to the same actor
- In some environments attackers received VPN IP assignments granting internal network access
- Mitigations include disabling authentication override or dedicating a new certificate exclusively to the feature
VERDICT — CONFIRMED
Exploitation of CVE-2026-0257, an authentication bypass in Palo Alto Networks' PAN-OS GlobalProtect VPN, moved to the top of defenders' weekend queue on May 30 after CISA added the flaw to its Known Exploited Vulnerabilities catalog late Friday and Rapid7 detailed in-the-wild attacks. The bug, first disclosed by Palo Alto Networks on May 13, affects firewalls with a GlobalProtect portal or gateway when authentication-override cookies are enabled and the certificate used to encrypt those cookies is shared with another feature, such as the portal or gateway's HTTPS service.
In that configuration, a remote, unauthenticated attacker can forge authentication-override cookies and establish unauthorized VPN connections. Rapid7 said it observed the earliest exploitation on May 17 from IP addresses hosted on Vultr, with a second wave on May 21 assessed to be the work of the same threat actor; in some compromised environments the attackers' sessions received VPN IP assignments, granting access to victims' internal networks.
The Hacker News reported on May 30 that affected organizations should disable the authentication-override feature or generate a new certificate used exclusively for it, in addition to applying fixes, and federal agencies face a remediation deadline under Binding Operational Directive 22-01.
Why it matters
a forgeable VPN cookie turns perimeter security appliances into an entry point, extending 2026's relentless pattern of edge-device authentication bypasses being weaponized within days of disclosure.
Key facts on file
- CISA added CVE-2026-0257 to the KEV catalog on May 29, with news breaking overnight into May 30
- The flaw lets remote unauthenticated attackers forge GlobalProtect authentication-override cookies and establish unauthorized VPN connections
- Rapid7 observed earliest exploitation on May 17 from Vultr-hosted IPs and a second wave on May 21 attributed to the same actor
- In some environments attackers received VPN IP assignments granting internal network access
- Mitigations include disabling authentication override or dedicating a new certificate exclusively to the feature


