An authentication bypass vulnerability, CVE-2026-0257, in Palo Alto Networks PAN-OS GlobalProtect portal and gateway components has been actively exploited, prompting CISA to add it to its Known Exploited Vulnerabilities (KEV) Catalog. Federal agencies now have until June 13, 2026, to apply patches for this flaw, which attackers are using to forge session cookies and establish unauthorized VPN connections. The vulnerability, rated 7.8 CVSS High severity, targets widely deployed enterprise edge devices.
What Happened
CISA added CVE-2026-0257 to its KEV Catalog on May 29, 2026, due to confirmed active exploitation. Federal agencies have until June 13, 2026, to patch this authentication bypass vulnerability affecting Palo Alto Networks PAN-OS GlobalProtect portal and gateway components. NVD classifies the vulnerability as Unspecified with a CVSS Score of 7.8 (High severity).
Affected versions include PAN-OS 10.2 through 12.1. Rapid7 researchers confirmed active exploitation began around May 17, 2026, just four days after Palo Alto Networks addressed the issue on May 13, 2026. Attackers forge session cookies to bypass GlobalProtect authentication, gaining unauthorized VPN access. Initial observations indicate exploitation attempts originated from Vultr-hosted IP addresses, targeting enterprise local admin accounts, as BleepingComputer reported. No specific malware has been publicly tied to this exploit; the objective is initial access and a network foothold.
Why It Matters
Attackers use CVE-2026-0257 to bypass network perimeters, directly accessing internal networks. Successful exploitation means adversaries can bypass firewalls and establish unauthorized VPN connections, potentially gaining sweeping access to internal networks. This could expose sensitive data across various systems, from user directories to critical operational technology, though the extent of data exposure has not been confirmed by affected organizations.
Palo Alto GlobalProtect is deployed extensively across enterprise and government networks globally, indicating a broad attack surface. Organizations, including U.S. federal agencies and critical infrastructure entities, are directly in the crosshairs. CISA also added CVE-2024-21182 (Oracle WebLogic Server) to its KEV catalog on June 1, 2026, but CVE-2026-0257 is the more immediate and critical concern due to its direct impact on network perimeter integrity and confirmed, active exploitation. Ignoring your VPN gateway leads to losing control of your network.
Affected Scope & Remediation
The vulnerability impacts Palo Alto Networks PAN-OS GlobalProtect portal and gateway components across versions 10.2 through 12.1. Any organization running these versions without the latest updates is exposed. Patch it, and patch quickly.
| Product | Version Range | Fixed Version |
|---|---|---|
| PAN-OS GlobalProtect | 10.2.x | Latest patched versions for 10.2 as of May 13, 2026 |
| PAN-OS GlobalProtect | 11.0.x | Latest patched versions for 11.0 as of May 13, 2026 |
| PAN-OS GlobalProtect | 11.1.x | Latest patched versions for 11.1 as of May 13, 2026 |
| PAN-OS GlobalProtect | 12.0.x | Latest patched versions for 12.0 as of May 13, 2026 |
| PAN-OS GlobalProtect | 12.1.x | Latest patched versions for 12.1 as of May 13, 2026 |
Palo Alto Networks addressed the vulnerability on May 13, 2026, releasing patches across affected branches. Federal civilian agencies must apply these updates by June 13, 2026. For everyone else, that date is a strong suggestion to act now. No specific workarounds are publicly available beyond applying the vendor-supplied patches immediately.
The timeline is tight: Palo Alto Networks disclosed and patched the vulnerability on May 13, 2026. However, Rapid7 confirmed active exploitation began just 4 days later, on May 17, 2026. This rapid jump from patch release to observed exploit indicates that adversaries were either tracking the disclosure closely or had independent knowledge. After patching, monitor GlobalProtect logs for suspicious authentication attempts or forged session cookies. Deploying Endpoint Detection and Response (EDR) solutions like CrowdStrike Falcon or SentinelOne on VPN clients and internal systems can help detect post-exploitation activity even if initial access succeeded.
Technical Breakdown
CVE-2026-0257 is an authentication bypass in the GlobalProtect portal and gateway components. The flaw allows an unauthenticated attacker to generate or forge valid session cookies. This is like fabricating a hotel key card without checking in at the front desk. With this fabricated key, they can establish an unauthorized VPN session and gain access to the internal network.
This is a fundamental flaw in how GlobalProtect verifies a user's session, allowing an attacker to present what appears to be a legitimate, active session without actually providing credentials. Once inside, attackers can use this network access for further reconnaissance, lateral movement, and data exfiltration. Rapid7 observed initial exploitation attempts specifically targeted enterprise local admin accounts, indicating a clear intent to elevate privileges and establish persistent access.
Mapping this to MITRE ATT&CK, the primary technique is T1190 Exploit Public-Facing Application, as attackers directly target an internet-exposed service to gain initial access. Following successful authentication bypass, the establishment of a VPN session falls under T1133 External Remote Services. From a NIST SP 800-53 perspective, this vulnerability directly violates IA-2 Identification and Authentication (Organizational Users) by allowing unauthorized authentication and undermines AC-3 Access Enforcement by bypassing intended access controls. Implementing a Zero Trust architecture, perhaps with a tool like Cloudflare Zero Trust, can help mitigate the blast radius if an edge device is compromised, by ensuring that even authorized VPN users are subject to continuous verification.
Historical Context
The active exploitation of CVE-2026-0257 echoes a dangerous pattern of targeting edge-facing enterprise VPN appliances. A direct parallel can be drawn to the widespread exploitation of multiple vulnerabilities in Pulse Secure VPN appliances in 2019-2020, particularly CVE-2019-11510 and CVE-2019-11539. These flaws allowed unauthenticated attackers to gain arbitrary file read and pre-authentication command injection, respectively, leading to authentication bypass, credential theft, and full network access.
Much like the current PAN-OS situation, threat groups, including state-sponsored actors, rapidly weaponized the Pulse Secure exploits because they offered a direct, high-value path into corporate and government networks. The core similarity is the exploitation of a perimeter device designed to facilitate secure remote access, turning it into a primary infiltration vector. The difference often lies in the specific technical mechanism (e.g., file read vs. cookie forging), but the impact – unauthorized access to internal networks – remains consistently severe. These incidents collectively underscore that VPN appliances, by their nature of being exposed to the internet and granting deep network access, are perennial targets and critical patch management priorities.
Data at a Glance
| Metric | Value | Source |
|---|---|---|
| CVSS Score | 7.8 (High) | NVD |
| Days to Observed Exploitation | 4 days | Rapid7, Palo Alto Networks |
| CISA KEV Patch Deadline | 15 days (from KEV listing) | CISA |
| Affected PAN-OS Versions | 3 major versions | NVD |
| Attack Vector | Network | NVD |
| Exploitation Status | Active | Rapid7 |
Our Take
This CVE-2026-0257 exploit is a direct shot at the network's front door. We've seen this play out too many times with VPN appliances. The 4-day window between patch availability and confirmed active exploitation shows how quickly sophisticated actors move. Waiting to patch isn't an option when an authentication bypass lets attackers walk straight into your network. This is bad. Patch it now.
The CVEDaily Take
The rapid weaponization of CVE-2026-0257 suggests that either the vulnerability was known prior to Palo Alto Networks' patch release, or adversaries are now exceptionally quick at reverse-engineering patches for immediate exploitation. We think organizations relying on GlobalProtect must assume a compromise scenario occurred before the patch was even available given the speed of exploitation. Has your team audited GlobalProtect authentication logs for forged session cookie indicators specifically since May 17, 2026?
FAQ
Q1: What is CVE-2026-0257?
A1: CVE-2026-0257 is an authentication bypass vulnerability in Palo Alto Networks PAN-OS GlobalProtect portal and gateway components, allowing unauthenticated attackers to forge session cookies and establish unauthorized VPN connections.
Q2: How does the CVE-2026-0257 exploit work?
A2: Attackers exploit CVE-2026-0257 by creating or forging valid session cookies. These forged cookies allow them to bypass the GlobalProtect VPN's authentication mechanisms, granting them unauthorized access to the internal network without requiring legitimate credentials.
Q3: What should organizations do immediately regarding CVE-2026-0257?
A3: Organizations should immediately apply the latest patches for Palo Alto Networks PAN-OS GlobalProtect portal and gateway components across all affected versions (10.2 through 12.1). Following patching, review GlobalProtect authentication logs for any suspicious activity, especially attempts originating from unfamiliar IP addresses or unusual login patterns, observed since May 17, 2026.
