top of page
perceptive_background_267k.jpg

Palo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks

Published:

30 May 2026 at 18:02:51

Alert date:

30 May 2026 at 19:00:27

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Network Infrastructure, Zero-Day Vulnerabilities, Identity & Access

Palo Alto Networks is warning that hackers are actively exploiting a critical authentication bypass vulnerability in PAN-OS GlobalProtect VPN, tracked as CVE-2026-0257. The flaw is being used in attacks targeting corporate networks to breach security perimeters. Organizations using GlobalProtect VPN solutions are at risk of unauthorized access and network compromise. This represents an active exploitation of a critical network security component used widely in enterprise environments.

Technical details

The vulnerability stems from PAN-OS's validation of authentication override cookies. GlobalProtect VPN devices decrypt these cookies using a configured private key and trust the decrypted contents without performing signature verification. If the same certificate is reused for both HTTPS services and authentication override cookies, attackers can obtain the corresponding public key via the HTTPS session and create forged cookies that the device will accept as legitimate. Attackers authenticate to GlobalProtect gateways using forged authentication override cookies targeting the local administrator account, potentially establishing unauthorized VPN connections to internal networks.

Mitigation steps:

Install the latest security updates immediately to patch the vulnerability. Turn off the authentication override feature as a mitigation. Utilize a different certificate for the authentication override feature and do not share it with other services on the device. Federal agencies must mitigate the flaw by June 1, 2026 per CISA directive.

Affected products:

Palo Alto Networks PAN-OS GlobalProtect portal
Palo Alto Networks PAN-OS GlobalProtect gateway

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-0257
https://security.paloaltonetworks.com/CVE-2026-0257
https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/
https://www.cisa.gov/known-exploited-vulnerabilities-catalog#:~:text=NETWORKS%20%7C%20PAN%2DOS-
CVE%2D2026%2D0257
-Palo%20Alto%20Networks

Related CVE's:

Related threat actors:

IOC's:

Infrastructure hosted by Vultr (observed exploitation May 18), Infrastructure from Dromatics Systems (observed exploitation May 21)

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page