www.it-connect.fr
Palo Alto CVE-2026-0257: Actively Exploited VPN Flaw Triggers Urgent Warning
A new alert has been issued by Palo Alto Networks: a security flaw discovered in GlobalProtect, its VPN service used by enterprises, is currently being exploited by cybercriminals. Here is what we know about this threat.
Table of Contents
The CVE-2026-0257 Security Flaw
On May 13, 2026, Palo Alto Networks published a security advisory about the CVE-2026-0257 vulnerability patched in PAN-OS, the operating system used by its firewalls. This vulnerability affects the GlobalProtect feature in PAN-OS.
"Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® allow an attacker to bypass security restrictions and establish an unauthorized VPN connection.", states the security advisory. Initially, this security flaw was assigned a "Medium" severity rating, mainly because it requires a very specific configuration to be exploitable.
However, the current situation is more concerning because this security flaw is being exploited by attackers:
- Rapid7 says this vulnerability has been exploited since May 17, 2026,
- CISA added this vulnerability to its Known Exploited Vulnerabilities catalog on May 30, 2026,
- Palo Alto Networks updated its security advisory to state that patching was urgent.
"Rapid7 MDR identified successful exploitation across many customers; however, we observed no indication of successful lateral movement from these devices. The earliest date observed for this exploitation was May 17, 2026.", notes the Rapid7 report.
Exploitation Conditions
To authenticate to a vulnerable GlobalProtect gateway, attackers rely on forged cookies created for the purpose. These cookies are crafted to target the instance's local administrator account first and foremost.
So where exactly does this security issue come from? Researchers explain that the flaw lies in the way PAN-OS validates certain cookies, which in some cases allows authentication to be bypassed. Here is what happens:
- A GlobalProtect VPN device decrypts the cookie using a configured private key.
- The device then trusts the decrypted content without performing any signature verification.
- If the same certificate is reused for both HTTPS services and authentication-bypass cookies, an attacker can obtain the corresponding public key through the HTTPS session.
- Using this public key, it becomes possible to generate a fake authentication cookie for any user and authenticate without knowing any valid credentials.
In practice, the certificate can be retrieved by the attacker from a public portal or an exposed GlobalProtect gateway. However, for the attack to work, one condition must be met within the PAN-OS configuration itself: the authentication override feature must be enabled.
How Can You Protect Your Palo Alto Networks Devices?
If you use Palo Alto Networks' GlobalProtect VPN solution in your organization, you need to act quickly. The best approach is to install the latest security patches released by the vendor.
If you cannot apply the patch right away, two mitigation measures are recommended:
- Disable the authentication override feature.
- Use a separate certificate for this feature, making sure not to share it with other HTTPS services on the device. That way, an attacker cannot take advantage of a certificate obtained from an authentication portal.
Find all the details in Palo Alto Networks' security advisory.
