Informa TechTarget | SearchSecurity Cybersecurity Dive InformationWeek Channel Dive Explore our brands Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources THREAT INTELLIGENCE VULNERABILITIES & THREATS PERIMETER CYBERSECURITY OPERATIONS NEWS Patch Now: Another Palo Alto Auth Bypass Bug Under Active Exploit Exploiting the PAN-OS GlobalProtect VPN vulnerability requires certain conditions, but adversaries have done so in two attack waves that started in mid-May. Elizabeth Montalbano,Contributing Writer June 1, 2026 4 Min Read SOURCE: SERGEY TARASOV VIA ALAMY STOCK PHOTO Attackers are exploiting a security vulnerability in Palo Alto Networks' PAN-OS GlobalProtect VPN technology that allows them to bypass authentication and gain VPN access without valid credentials. In May, Palo Alto Networks (PAN) disclosed and fixed the flaw, tracked as CVE-2026-0257, but it updated the advisory last week to note that there have been "limited exploit attempts on unpatched PAN-OS devices without mitigations applied." That update came on the heels of research from Rapid7 that identified successful exploitation "across numerous customers" as early as May 17, according to a report, also published last week. And on May 29, the Cybersecurity and Infrastructure Security Agency (CISA) also added the flaw to its Known Exploited Vulnerabilities (KEV) catalog. The bug affects the GlobalProtect portal and gateway for the PAN-OS software across various versions, which are listed in the advisory. An internal researcher at the company discovered the flaw, which received an initial CVSS score of 7.8 that rated it of "medium" severity, since it requires firewalls with the GlobalProtect portal or gateway configured to have both authentication override cookies enabled and a specific certificate configuration. But that hasn't stopped cyberattackers. Related:'The Com' Cyberattacks Support Violence & Sexploitation Treat the CVE-2026-0257 Issue as 'Critical' Researchers at Rapid7 are urging organizations to treat the flaw as a critical vulnerability, not only because it is under active exploit, but because "an authentication bypass in an edge facing enterprise VPN appliance can have significant impact to affected organizations," according to the report. "As such, organizations running affected appliances are urged to upgrade to a vendor-supplied patch on an urgent basis," according to Rapid7's alert, which added that, so far, its researchers "did not observe any indication of successful lateral movement from the devices." What they have observed are successful attacks across multiple customer environments. In many cases, attackers used forged authentication cookies to impersonate legitimate users and authenticate to GlobalProtect gateways. Following the initial attacks, there was a second wave of activity on May 21, with evidence that some attackers were assigned VPN addresses and gained internal network access. How the PAN VPN Exploit Occurs The issue lies in a feature called "authentication override," which allows a GlobalProtect portal or gateway to issue cookies to an authenticated user. "The authenticated user can then use an authentication override cookie in future communications to the GlobalProtect portal or gateway in lieu of re-authenticating via credentials, akin to a bearer token," according to Rapid7. Related:AI-Assisted Exploit Development Outpaces Scanner Detection But, it's not enabled by default. And, the vulnerability requires a certain configuration in how certificates are used to encrypt and decrypt these authentication override cookies — specifically, certificates used to encrypt and decrypt authentication override cookies must not be the same certificate used for the GlobalProtect portal or gateway’s HTTPS service. However, Rapid7's analysis found that, under certain configurations, the system trusts decrypted cookies without verifying their authenticity. If administrators reuse the same certificate for both HTTPS services and cookie encryption, attackers can obtain the certificate's public key and generate forged cookies that PAN's VPN gateway accepts as valid, according to researchers. Rapid7 developed a proof-of-concept (PoC) tool that successfully demonstrated the attack, showing that a forged cookie could be accepted by vulnerable GlobalProtect gateways and used to establish authenticated sessions. Apply Cybersecurity Mitigations Now Because its security technology stands in the way of attackers accessing the corporate network, security bugs in Palo Alto Networks technology often come under attack. Earlier this year, threat actors targeted a separate authentication-bypass flaw found in PAN-OS software that allows an unauthenticated attacker to invoke certain PHP scripts. CISA also advised organizations to patch that flaw, CVE-2025-0108, which when first identified was a zero-day. Related:State Cyber Leaders Push Congress for More Funding, Support In this case, it would be wise for customers affected by CVE-2026-0257 to apply PAN's fix as soon as possible, according to both PAN and Rapid7. If this is not possible, then they should use a dedicated certificate for authentication-override cookies, generating a new certificate exclusively for them and storing it securely, according to PAN. It's also important not to reuse the portal or gateway certificate, and to not share this certificate with other features or users, the company said. To protect their networks, organizations also can disable authentication override entirely by unchecking all options for the feature, both for generating and accepting cookies, in the GlobalProtect portal and gateway configuration, according to PAN's guidance. About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is freelance writer, editor, and journalist with 30 years of professional experience and a master's degree from Arizona State University. Her areas of expertise include enterprise technology, cybersecurity, business, and culture. During her long career, Elizabeth has lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City. She specializes in news coverage and analysis, using her years of experience to look at the current state of cybersecurity with a critical gaze. She currently resides in a village on the southwest coast of Portugal, where in her free time she enjoys surfing, hiking with her dogs, growing plants, and playing and performing as a singer and musician. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar AI-Powered Credential Security: Intelligence Without Exposure More Webinars You May Also Like THREAT INTELLIGENCE Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish by Jai Vijayan MAR 17, 2026 THREAT INTELLIGENCE Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi MAR 06, 2026 THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Instructure Breach Exposes Schools' Vendor Dependence byAlexander Culafi MAY 6, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed TUESDAY, JUNE 23, 2026 1:00 PM EDT Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack THURS, JUNE 25, 2026, AT 1PM EST Defending in the Shadow Era: When the CVE Feed Goes Dark TUES, JUNE 16, 2026 AT 1PM EST Building SecOps That Make the Most of Every Dollar THURS, JULY 9, 2026 AT 1PM EST AI-Powered Credential Security: Intelligence Without Exposure WED, JUNE 17, 2026, AT 1PM EST More Webinars BLACK HAT USA | MANDALAY BAY, LAS VEGAS The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass. GET YOUR PASS Discover More Black Hat Omdia Working With Us About Us Advertise Reprints Join Us NEWSLETTER SIGN-UP Follow Us Copyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466. Home| Cookie Policy| Privacy| Terms of Use Your Privacy Choices