Palo Alto Networks says attackers are now using a GlobalProtect VPN flaw to try to get into corporate networks without valid credentials. The issue, CVE-2026-0257, affects PAN-OS GlobalProtect portal and gateway configurations that use authentication override cookies with specific certificate reuse; attackers can forge those cookies and establish unauthorized VPN access on unpatched devices. Rapid7 says it saw exploitation from at least May 17, 2026, and CISA has added the flaw to its Known Exploited Vulnerabilities catalog.
Why it matters: Organizations that use Palo Alto GlobalProtect could be exposed to unauthorized remote access into internal networks, so this is an urgent patch-now issue. Defenders should update PAN-OS immediately and, if needed, disable authentication override cookies or use a separate certificate for that feature.
2026.06.01
98% relevant
This article is the same underlying event and adds specifics that Rapid7 observed successful exploitation in multiple customer environments as early as May 17, saw attackers establish unauthorized VPN sessions, and notes the flaw has been added to CISA's KEV catalog with a federal patch deadline.
Ionut Arghire
2026.06.01
97% relevant
This directly updates the same CVE-2026-0257 event by adding that exploitation began on May 17, four days after disclosure; describing Rapid7's observed waves from Vultr and Dromatics Systems; noting forged-cookie abuse and partial VPN session establishment; and pointing defenders to Rapid7's PoC scanner and indicators of compromise.
Lawrence Abrams
2026.05.30
100% relevant
This article establishes a new tracked event by confirming active exploitation of Palo Alto PAN-OS GlobalProtect CVE-2026-0257 and linking it to urgent mitigation and KEV listing.
← Back to all stories