PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation
The Hacker NewsArchived May 30, 2026✓ Full text saved
Palo Alto Networks has warned that a recently disclosed medium-severity security flaw impacting PAN-OS and Prisma Access has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-0257 (CVSS score: 7.8), refers to a case of authentication bypass that could be exploited by bad actors to set up VPN connections. "Authentication bypass vulnerabilities in the
Full text archived locally
✦ AI Summary· Claude Sonnet
PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation
Ravie LakshmananMay 30, 2026Vulnerability / Network Security
Palo Alto Networks has warned that a recently disclosed medium-severity security flaw impacting PAN-OS and Prisma Access has come under active exploitation in the wild.
The vulnerability, tracked as CVE-2026-0257 (CVSS score: 7.8), refers to a case of authentication bypass that could be exploited by bad actors to set up VPN connections.
"Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allow the attacker to bypass security restrictions and establish an unauthorized VPN connection," Palo Alto Networks said in an advisory released on May 13, 2026.
The issue specifically affects firewalls with GlobalProtect portal or gateway configured when authentication override cookies are enabled and a specific certificate configuration exists, the network security company said.
In an update to its advisory on May 29, 2026, Palo Alto Networks said it has "become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied.
The development comes after Rapid7 revealed it identified successful exploitation across numerous customers, with the earliest efforts dating back to May 17, 2026, followed by a second wave on May 21. Both the exploitation sets are assessed to be the work of the same threat actor.
The activity observed in the second wave involved VPN IP assignment following the cookie authentication in two cases, granting the attacker access to the internal network. No follow-on activity in the customer environments where a VPN session was established, the cybersecurity vendor added.
"An authentication bypass in an edge facing enterprise VPN appliance can have significant impact to affected organizations," Rapid7 said. "As such, organizations running affected appliances are urged to upgrade to a vendor supplied patch on an urgent basis."
As temporary mitigations, it's recommended to either disable the authentication override feature or generate a new certificate to use exclusively for the authentication override feature.
The exploitation of CVE-2026-0257 follows a report from Arctic Wolf about the continued weaponization of a critical, now-patched security flaw impacting FortiClient Endpoint Management Server (EMS) deployments (CVE-2026-35616, CVSS score: 9.1) to deliver credential-stealing malware called EKZ Infostealer.
Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.
SHARE
Tweet
Share
Share
SHARE
Authentication bypass, cybersecurity, network security, Palo Alto Networks, PAN-OS, VPN Security, Vulnerability
⚡ Top Stories This Week
GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension
NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE
ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories
GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos
The New Phishing Click: How OAuth Consent Bypasses MFA
MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems
Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective
DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability
Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows
Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit
Microsoft Warns of Two Actively Exploited Defender Vulnerabilities
Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software
Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws
9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros
⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More
Developer Workstations Are Now Part of the Software Supply Chain
Load More ▼
⭐ Featured Resources
Discover How to Navigate the Era of Constant Cyber Exposure
[Guide] Learn to Detect AI Typosquatting Risks in Your Domain
[Guide] Get Key Identity Security Insights From 2026 Snapshot
Claim ANY.RUN Anniversary Offer for Faster Malware Analysis