Rapid7 Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257)
Rapid7, Friday, May 29th, 2026
Rapid7 MDR identified active exploitation of CVE-2026-0257, a critical authentication bypass in Palo Alto Networks PAN-OS GlobalProtect affecting VPN access.
Rapid7 detected successful exploitation of CVE-2026-0257, a medium severity authentication bypass in PAN-OS GlobalProtect, across multiple customers starting May 17, 2026. Attackers from hosting providers Vultr and Dromatics Systems used forged authentication cookies to bypass VPN authentication and gain access to internal networks, though no lateral movement was observed.
The vulnerability exploits a feature called 'authentication override' that issues cookies for future authentication without re-entry of credentials, enabled only when using separate certificates for cookie encryption versus HTTPS services. Rapid7 urges organizations to treat this as a critical vulnerability due to its impact on edge-facing VPN appliances and recommends urgent patching.