Palo Alto Networks has confirmed active exploitation of CVE-2026-0257, an authentication bypass vulnerability in PAN-OS GlobalProtect VPN. Attackers are forging authentication override cookies to gain unauthorized VPN access to corporate networks. Rapid7 observed exploitation starting May 17, 2026, originating from Vultr-hosted infrastructure, with CISA adding the flaw to its Known Exploited Vulnerabilities catalog and ordering federal agencies to patch by June 1. The root cause is PAN-OS trusting decrypted cookie contents without signature verification — if the same certificate is shared between HTTPS services and auth override cookies, attackers can extract the public key and forge valid cookies. Organizations should patch immediately, disable authentication override, or use a dedicated certificate for that feature.
Table of contents
Related Articles:Sort: