• Home
  • About
  • Locations
logologologologo
  • Plan
    • vCISO
    • Policies & Procedures
    • Strategy & Security Program Creation
    • Risk Management
  • Attack
    • Penetration Testing
    • PTaaS
    • Red Teaming
    • Web Application Penetration Testing
    • Mobile Application Penetration Testing
    • IOT Penetration Testing
  • Defend
    • Office 365 Security
    • HIPAA Compliance
    • PCI Compliance
    • Code Reviews
    • Blockchain Security Analysis
    • Vulnerability Assessments
  • Recover
    • Ransomware Recovery
    • Expert Witness
    • Forensics
  • Learn
    • Resources
    • Penetration Testing Training
    • Blog
  • Contact Us
  • Instant Quote
✕

Palo Alto VPN Vulnerability CVE-2026-0257 Actively Exploited

June 15, 2026

Meta Description

Palo Alto VPN vulnerability CVE-2026-0257 bypasses GlobalProtect authentication allowing unauthenticated VPN access. CISA KEV listed. Patch or disable authentication override immediately

Introduction

Palo Alto Networks Unit 42 has confirmed active exploitation of a critical authentication bypass vulnerability affecting the GlobalProtect portal and gateway components of PAN-OS software. Tracked as CVE-2026-0257, this flaw allows remote unauthenticated attackers to forge authentication override cookies and establish unauthorized VPN connections without providing any valid credentials. Rapid7 MDR observed successful exploitation across multiple customer environments beginning May 17, 2026, validating the attack with their own proof-of-concept testing.

This Palo Alto VPN vulnerability was initially assigned a CVSSv4 score of 4.7 (medium severity) when disclosed on May 13, 2026. However, following confirmed in-the-wild exploitation, Palo Alto Networks revised the score to 7.8 (high severity) on May 29, 2026. CISA added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog on May 29, 2026, ordering all Federal Civilian Executive Branch agencies to patch or mitigate by June 1, 2026.

The vulnerability affects GlobalProtect portal and gateway components of PAN-OS running on physical and virtual firewalls, as well as Prisma Access deployments. Attackers have been observed probing systems from hosting provider IP addresses including Vultr and Dromatics Systems. Rapid7 identified two waves of exploitation using consistent MAC addresses, suggesting the same threat actor behind both campaigns. Organizations running unpatched Palo Alto firewalls with authentication override cookies enabled are directly exposed to unauthorized VPN access right now.

What Is the Palo Alto VPN Vulnerability CVE-2026-0257

The Palo Alto VPN vulnerability CVE-2026-0257 is an authentication bypass flaw in how GlobalProtect validates authentication override cookies. Authentication override cookies are a legitimate feature designed to allow administrator access in specific scenarios. However, PAN-OS does not properly validate or perform integrity checking on these cookies during the authentication process.

An attacker can forge or spoof authentication override cookies without possessing the correct credentials or authorization. When a vulnerable GlobalProtect gateway receives the forged cookie, it accepts the authentication without verifying the cookie's authenticity or integrity. The attacker then establishes an unauthorized VPN connection with VPN IP assignment, granting access to internal corporate networks.

CVE-2026-0257 at a glance:

  • CVE ID: CVE-2026-0257
  • Initial CVSS Score: 4.7 (medium)
  • Revised CVSS Score: 7.8 (high) on May 29, 2026
  • Vulnerable Component: GlobalProtect portal and gateway
  • Affected Products: PAN-OS physical firewalls, VM-Series virtual firewalls, Prisma Access
  • Authentication Required: No
  • User Interaction Required: No
  • Attack Vector: Remote via network
  • Exploitation Start: May 17, 2026
  • Disclosure Date: May 13, 2026
  • CISA KEV Added: May 29, 2026
  • Federal Patching Deadline: June 1, 2026
  • Root Cause: Lack of validation and integrity checking on authentication override cookies
  • Affected Versions: Multiple supported versions
  • Patch Status: Patches available for supported releases
  • Mitigation: Disable authentication override feature or generate new certificate

The flaw stems from the fundamental design decision to trust authentication override cookies without performing cryptographic validation. When Cloud Authentication Service (CAS) is disabled and authentication override cookies are enabled, the GlobalProtect gateway accepts any cookie matching the expected format without verifying its cryptographic integrity or origin.

How Attackers Exploit the Palo Alto VPN Vulnerability

Understanding the exact exploitation mechanism helps defenders detect and respond to this attack.

Authentication Override Cookie Architecture

GlobalProtect uses authentication override cookies as an optional feature to simplify administrator access in certain deployment scenarios. When enabled, the system allows administrators to authenticate using a pre-shared cookie rather than standard username and password authentication. This feature is designed for convenience but introduces the vulnerability when not properly protected.

The vulnerability exists because PAN-OS does not cryptographically sign or validate the cookie contents. An attacker who understands the expected cookie format can craft a valid-looking cookie without possessing the actual shared secret or credentials that generated it.

Forging and Spoofing Cookies

Attackers craft authentication override cookies that match the expected format accepted by the vulnerable GlobalProtect gateway. The forged cookie passes through the authentication logic without triggering any validation errors. The appliance incorrectly trusts the cookie and grants authentication to the attacker.

Establishing Unauthorized VPN Access

Upon successful authentication via the forged cookie, the appliance assigns a VPN IP address to the attacker. The attacker then has a full VPN connection to the internal network, with access levels determined by the authentication context of the spoofed cookie. Even if the cookie does not convey full administrative privileges, it provides access to internal network resources that should only be reachable by legitimate authenticated users.

Observed Exploitation Patterns

Rapid7 documented two distinct waves of exploitation:

Wave one occurred May 17 to 18, 2026, originating from Vultr hosting provider IP addresses. Rapid7 observed suspicious cookie authentication attempts to local admin accounts from the same Vultr IP range across multiple customer environments. The attacks successfully granted VPN access in some cases.

Wave two occurred May 21, 2026, originating from Dromatics Systems hosting provider. Due to the consistent spoofed MAC address observed in both waves, Rapid7 assesses that both waves likely originated from the same threat actor.

Rapid7 also noted that across multiple customer environments, attackers issued authentication probes using forged cookies. In 8 out of 10 impacted customers, the appliance accepted the cookie without establishing a full VPN session. This suggests either incomplete exploitation or attackers testing cookie validity before committing to full VPN establishment.

Post-Exploitation Activity

As of the latest Unit 42 and Rapid7 reporting, no post-exploitation lateral movement or privilege escalation activity has been documented. However, the mere establishment of an unauthorized VPN connection represents a critical compromise because the attacker has direct access to the internal network perimeter controlled by that firewall.

MITRE ATT&CK Technique Mapping

The confirmed Palo Alto VPN vulnerability exploitation maps to the following ATT&CK techniques:

  • T1190 Exploit Public Facing Application for initial access via VPN bypass
  • T1078 Valid Accounts using spoofed authentication cookies
  • T1133 External Remote Services for establishing unauthorized VPN access
  • T1021 Remote Services for initial internal network access post-VPN
  • T1526 Reconnaissance via internal network enumeration from VPN vantage point
  • T1087 Account Discovery on the internal network via VPN connection

Why the Palo Alto VPN Vulnerability Is Critical for Every Organization

The Palo Alto VPN vulnerability CVE-2026-0257 represents one of the most dangerous classes of security flaws: an authentication bypass on a perimeter security device.

VPN Gateways Control Network Boundaries

A firewall's VPN gateway sits at the network boundary controlling all remote access to internal networks. An authentication bypass on this device means an attacker can cross the network perimeter without being authenticated as a legitimate user or device. Once inside the network, the attacker has the same network access as any authenticated remote user.

The Attack Requires No Credentials

Unlike most authentication bypass flaws that might require password guessing or credential theft, CVE-2026-0257 requires no credentials at all. An attacker only needs to understand the cookie format and craft a valid-looking cookie. This dramatically lowers the barrier to exploitation and makes the flaw directly reachable from the internet without any prior access.

Affects Multiple Palo Alto Product Lines

The vulnerability affects PAN-OS physical firewalls, VM-Series virtual firewalls running PAN-OS in data centers or cloud, and Prisma Access cloud-managed firewalls. This broad product coverage means the flaw affects organizations with diverse Palo Alto deployments across on-premises and cloud environments simultaneously.

The Initial Severity Underestimation

The fact that Palo Alto initially assigned medium severity (CVSS 4.7) to an authentication bypass on a perimeter security device reflects a concerning gap in severity assessment. The vulnerability was only escalated to high severity (CVSS 7.8) after Rapid7 confirmed active exploitation. This underestimation creates operational risk for organizations that delay patching medium-severity vulnerabilities in their standard patching cycles.

No Post Exploitation Detected Yet

While the latest reporting indicates no post-exploitation lateral movement has been observed, this may simply reflect that attackers are still in the reconnaissance and testing phase. The establishment of VPN access by itself represents a successful compromise of the network boundary.

Five Real World Attack Scenarios

Scenario 1: Financial Services Firm VPN Compromise

A financial services organization runs Palo Alto physical firewalls with GlobalProtect VPN enabled for remote worker access. Cloud Authentication Service is disabled and authentication override cookies are enabled for administrative convenience. An attacker probes the organization's GlobalProtect endpoint from Vultr hosting and crafts an authentication override cookie. The gateway accepts the forged cookie without validation. The attacker establishes a VPN connection with IP assignment. From the internal network, they enumerate Windows domain controllers and attempt credential harvesting. The organization discovers the unauthorized VPN session after 6 days of undetected access.

Scenario 2: Healthcare Organization Ransomware Pre-positioning

A healthcare system runs VM-Series Palo Alto firewalls in their private cloud for VPN access. The authentication override cookie feature is enabled. An attacker crafts a forged cookie and establishes VPN access. Over a week they map the internal network, identify file servers and backup infrastructure, and position ransomware payloads on critical systems. On day eight they execute the ransomware simultaneously across all systems. The organization's backup and disaster recovery infrastructure was also compromised through the same VPN access, eliminating recovery options without a ransom payment.

Scenario 3: Government Agency Supply Chain Access

A government contractor runs Palo Alto firewalls with Prisma Access for distributed office VPN access. An attacker exploits CVE-2026-0257 to establish VPN access to the contractor's network. They gain access to a workstation used for secure communications with government agencies. The attacker extracts security credentials and tokens used for government system authentication. These credentials are then used to establish unauthorized access to government systems, turning the contractor into an inadvertent supply chain attack vector into the government agency's network.

Scenario 4: Law Firm Client Data Theft

A law firm runs Palo Alto GlobalProtect for secure remote access. An attacker exploits the authentication bypass to establish VPN access. They enumerate the file servers and locate client data organized by case. They selectively steal highly sensitive case files from high value clients and exfiltrate them. The firm discovers the breach when clients receive extortion demands from the attacker threatening to publish confidential legal documents and communications.

Scenario 5: Managed Service Provider Multi-Client Compromise

An MSP runs Palo Alto firewalls providing VPN access to dozens of SMB clients. An attacker exploits CVE-2026-0257 on the MSP's firewall and gains VPN access to the MSP's management network. From there they move laterally to systems managing the MSP's client environments. They establish backdoor access to the MSP's client management interfaces. The attacker can then pivot to any client environment through the MSP's administrative access, compromising dozens of organizations through a single firewall vulnerability.

How to Detect the Palo Alto VPN Vulnerability Being Exploited

Detecting exploitation of the Palo Alto VPN vulnerability requires specific monitoring of authentication events and VPN sessions.

Logging and Monitoring Requirements

  • Enable detailed authentication logging on all GlobalProtect gateways and portals, capturing all authentication events including cookie-based authentication
  • Log all VPN sessions including source IP, authentication method, assigned VPN IP, session duration, and data transferred
  • Monitor for authentication events from unexpected source IP addresses especially those from known hosting providers like Vultr or Dromatics Systems
  • Enable syslog forwarding of all firewall authentication and VPN events to your SIEM platform in real time
  • Collect traffic flow logs capturing all VPN session activity for correlation with other security events
  • Enable detailed logging of all configuration changes related to authentication override cookies and Cloud Authentication Service settings

Detection Rules for CVE-2026-0257

  • Alert on successful VPN authentication immediately followed by failed local login attempts on the firewall itself
  • Detect authentication override cookie usage when Cloud Authentication Service is disabled
  • Flag VPN sessions established from multiple source IP addresses within a short time window suggesting automated cookie testing
  • Alert on VPN sessions with anomalous geographic origin or unexpected source providers
  • Detect VPN sessions established from previously unseen source IP addresses followed by internal network reconnaissance
  • Monitor for authentication events using default or administrative account credentials via cookie authentication

SIEM Correlation Rules

  • Correlate failed authentication attempts from external IPs with subsequent successful VPN session establishment suggesting cookie forgery testing
  • Build rules flagging VPN sessions from hosting provider IP ranges like Vultr or Dromatics Systems
  • Alert on multiple VPN session attempts from the same source IP within seconds apart suggesting automated exploitation attempts
  • Correlate VPN session establishment with subsequent DNS queries for internal systems suggesting post-compromise reconnaissance
  • Build detection logic for SMB or RDP connections from VPN sessions to systems not regularly accessed by legitimate VPN users

Threat Hunting

  • Query authentication logs for VPN sessions established via authentication override cookies when Cloud Authentication Service is disabled
  • Review firewall configuration change logs for authentication override cookie enablement dates
  • Hunt for VPN IP assignments from unexpected geographic locations or hosting providers
  • Search for VPN sessions immediately followed by Windows domain enumeration or credential harvesting tools
  • Query traffic logs for unusual outbound connections from VPN sessions to external IP addresses
  • Review failed authentication attempts immediately preceding successful VPN sessions using cookies

Mitigation Recommendations for the Palo Alto VPN Vulnerability

These are the immediate steps your team must take to address the Palo Alto VPN vulnerability.

Patch or Mitigate Immediately

Palo Alto has released patches for all supported PAN-OS versions. There are no workarounds that eliminate the vulnerability without making configuration changes.

  • Apply Palo Alto patches to all GlobalProtect gateways and portals immediately without waiting for regular patch cycles
  • Verify patch deployment across all physical firewalls, VM-Series instances, and Prisma Access deployments in your environment
  • If patches cannot be applied immediately, implement mandatory mitigations while patching is underway

Disable or Reconfigure Authentication Override

If patching cannot be deployed immediately, disable the authentication override feature entirely or reconfigure it with additional protections.

  • Disable the authentication override cookie feature on all GlobalProtect gateways unless absolutely required for business operations
  • If authentication override must remain enabled, generate a new dedicated certificate for authentication override use separate from other certificates
  • Enable Cloud Authentication Service to replace cookie based authentication where operationally feasible

Enable Enhanced Logging and Monitoring

Implement comprehensive logging of all authentication events to detect ongoing or past exploitation.

  • Enable detailed authentication logging on all GlobalProtect components capturing full session details
  • Forward all firewall authentication and VPN logs to your SIEM in real time
  • Implement alerting rules for suspicious authentication patterns and unexpected source IP ranges

Conduct Forensic Investigation of the Exposure Window

Active exploitation was confirmed from May 17, 2026 onward. All organizations running vulnerable PAN-OS versions during this window should investigate for signs of compromise.

  • Review all VPN authentication logs from May 17, 2026 to present for authentication override cookie usage
  • Identify any VPN sessions from unexpected or hosting provider source IP addresses
  • Audit VPN session activity for unusual internal network reconnaissance or lateral movement patterns
  • If any indicators of compromise are found, engage incident response immediately
  • Rotate all credentials that may have been accessible through VPN sessions during the exposure window

Restrict Network Access to VPN Endpoints

While patching is underway, restrict VPN access to only authorized users and devices.

  • Implement IP allowlisting on GlobalProtect gateways restricting VPN access to known corporate IP addresses
  • Require VPN access through a bastion host or jump server rather than direct endpoint access
  • Apply stricter access controls to sensitive resources reachable through the VPN tunnel
  • Monitor VPN session activity for any deviations from normal usage patterns

What the Palo Alto VPN Vulnerability Tells Us About Security

The Palo Alto VPN vulnerability CVE-2026-0257 highlights critical lessons about perimeter security and vulnerability severity assessment.

Authentication Bypass on Perimeter Devices Is Maximally Dangerous

A firewall's job is to enforce the security boundary between trusted internal networks and untrusted external networks. An authentication bypass on a firewall means an attacker can cross that boundary without legitimate authorization. This is the most direct path to internal network compromise.

Severity Assessment Matters for Patching Decisions

The initial CVSS 4.7 (medium) rating on an authentication bypass affecting a perimeter device was a severe underestimation. Organizations prioritize patching critical and high severity vulnerabilities ahead of medium severity ones. Attackers were actively exploiting this flaw while it carried a medium rating, creating a dangerous window where many organizations had not yet patched.

Convenience Features Create Vulnerability

Authentication override cookies were designed for administrative convenience, allowing easier access in specific scenarios. Security is constantly negotiated against convenience. However, the implementation of this convenience feature did not include the cryptographic validation necessary to make it secure. This pattern repeats across security software: features designed for convenience often lack the defensive rigor of the primary security controls.

Perimeter Devices Require Different Patching Urgency

Firewalls, VPN gateways, email gateways, and other perimeter security devices should receive different patching treatment than internal systems. An exploit on a perimeter device provides direct access to the network boundary without requiring lateral movement. Organizations should apply critical and high severity patches to perimeter devices with emergency response timelines measured in hours or days, not weeks.

Key Takeaway

The Palo Alto VPN vulnerability CVE-2026-0257 is an authentication bypass flaw in GlobalProtect portal and gateway components affecting PAN-OS and Prisma Access. The flaw allows attackers to forge authentication override cookies and establish unauthorized VPN connections without providing any valid credentials. Rapid7 confirmed active exploitation beginning May 17, 2026, with successful VPN access establishment on multiple customer systems. The flaw was initially assigned CVSS 4.7 (medium) but revised to CVSS 7.8 (high) on May 29, 2026, the same day CISA added it to the Known Exploited Vulnerabilities catalog and ordered federal agencies to patch by June 1, 2026.

Palo Alto has released patches for all supported versions. Organizations should patch immediately without waiting for regular patch cycles. If patching cannot be completed immediately, disable authentication override cookies or generate a new dedicated certificate for their use. Conduct forensic investigation of VPN authentication logs from May 17 onward to determine if your organization was compromised during the exploitation window.

Frequently Asked Questions About the Palo Alto VPN Vulnerability

What is the Palo Alto VPN vulnerability CVE-2026-0257

The Palo Alto VPN vulnerability CVE-2026-0257 is an authentication bypass flaw in the GlobalProtect portal and gateway components of PAN-OS and Prisma Access. It allows remote unauthenticated attackers to forge authentication override cookies and establish unauthorized VPN connections without providing valid credentials. The flaw stems from inadequate validation and integrity checking of authentication override cookies during the authentication process. It was disclosed on May 13, 2026, initially rated CVSS 4.7 (medium), then upgraded to CVSS 7.8 (high) on May 29, 2026, following confirmed in-the-wild exploitation.

Is the Palo Alto VPN vulnerability CVE-2026-0257 being actively exploited

Yes. Rapid7 MDR confirmed active exploitation beginning May 17, 2026, with successful VPN access establishment across multiple customer environments. Two waves of exploitation have been observed, both believed to originate from the same threat actor using consistent spoofed MAC addresses and sourcing from hosting providers Vultr and Dromatics Systems. CISA added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog on May 29, 2026, confirming active in-the-wild exploitation activity.

How does the Palo Alto VPN vulnerability CVE-2026-0257 work technically

The vulnerability exploits the lack of cryptographic validation on authentication override cookies. When Cloud Authentication Service is disabled and authentication override cookies are enabled, the GlobalProtect gateway accepts any cookie matching the expected format without verifying the cookie's cryptographic integrity or origin. Attackers craft forged cookies that appear valid to the gateway. Upon accepting the forged cookie, the gateway assigns a VPN IP address and establishes a full VPN connection, granting the attacker access to the internal network.

Why is the Palo Alto VPN vulnerability CVE-2026-0257 particularly dangerous

The vulnerability is particularly dangerous because it affects a perimeter security device that controls network boundaries. An authentication bypass on a firewall means an attacker can cross the network perimeter without legitimate authorization, reaching internal networks directly. The flaw requires no credentials, no user interaction, and no prior access. It is remotely exploitable from the internet against any GlobalProtect gateway.

Who is most at risk from the Palo Alto VPN vulnerability CVE-2026-0257

Any organization running Palo Alto physical firewalls, VM-Series virtual firewalls, or Prisma Access with GlobalProtect enabled is at risk. The risk is highest for organizations with authentication override cookies enabled and Cloud Authentication Service disabled. Organizations that have not patched or implemented mitigations since the vulnerability disclosure on May 13, 2026 are directly exposed to active exploitation.

How should organizations respond to the Palo Alto VPN vulnerability

Organizations must apply Palo Alto patches immediately to all GlobalProtect gateways and portals without waiting for regular patch cycles. If patching cannot be completed immediately, disable authentication override cookies or generate a new dedicated certificate for their use. Organizations should investigate all VPN authentication logs from May 17, 2026 onward for signs of exploitation using forged cookies. If any indicators of compromise are found, engage incident response immediately. All credentials accessible through VPN sessions during the exploitation window should be rotated as a precautionary measure.

 

author avatar
social
See Full Bio
Share
Copyright © Digital Warfare. All rights reserved.
  • Home
  • About
  • Locations