Palo Alto Networks PAN-OS CVE-2026-0257 authentication bypass CISA KEV

Palo Alto's GlobalProtect Flaw Was Being Actively Exploited Within Days of Disclosure

1 June 2026

A high-severity authentication bypass vulnerability (CVE-2026-0257) in Palo Alto Networks' PAN-OS GlobalProtect portal and gateway was patched on May 13, but threat actors began actively exploiting it just four days after public disclosure. Rapid7 observed multiple waves of attacks across customer environments, with attackers using forged cookies to bypass authentication and, in some cases, gain access to internal networks via VPN. CISA has added the flaw to its Known Exploited Vulnerabilities catalog and is urging federal agencies to apply the available patches by June 1.

A freshly disclosed authentication bypass in Palo Alto Networks' PAN-OS didn't sit idle for long. According to Rapid7, threat actors were actively targeting it just four days after it became public knowledge.

The flaw, CVE-2026-0257, carries a CVSS score of 7.8 and affects firewalls running GlobalProtect portal or gateway under specific configurations. Exploitation allows attackers to sidestep authentication controls and establish unauthorised VPN connections to vulnerable appliances. Palo Alto shipped patches on May 13. By May 17, someone was already trying their luck.

Rapid7's telemetry caught suspicious cookie-based authentication attempts hitting local admin accounts across several customer environments, all originating from the same hosting provider, Vultr. Four days later, the same actor switched infrastructure to a second provider, Dromatics Systems, and turned up the pressure. In this second wave, some victims ended up with VPN sessions fully established, giving the attacker direct access to internal networks. Rapid7 couldn't pin down exactly why VPN assignment only succeeded for a subset of targets.

The attack method involved forged cookies probing the authentication bypass. In eight out of ten observed cases, the cookies were accepted, though a full VPN session didn't materialise. Still, that's a pretty uncomfortable success rate.

Palo Alto Networks updated its advisory on Friday to confirm active exploitation, and NIST quietly upgraded the severity rating to critical. CISA added the CVE to its Known Exploited Vulnerabilities catalogue the same day, giving federal agencies until June 1 to patch.

To help defenders, Rapid7 released a proof-of-concept script for identifying exposed firewalls alongside a set of indicators of compromise for hunting potential intrusions.

Patched versions are available for PAN-OS 10.2, 11.1, 11.2, and 12.1, as well as Prisma Access 10.2.0 and 11.2.0. If you haven't updated yet, the window to do so quietly is already closed.