CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 30, 2026

PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation

The Hacker News Archived May 30, 2026 ✓ Full text saved

Palo Alto Networks has warned that a recently disclosed medium-severity security flaw impacting PAN-OS and Prisma Access has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-0257 (CVSS score: 7.8), refers to a case of authentication bypass that could be exploited by bad actors to set up VPN connections. "Authentication bypass vulnerabilities in the

Full text archived locally
✦ AI Summary · Claude Sonnet


    PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation Ravie LakshmananMay 30, 2026Vulnerability / Network Security Palo Alto Networks has warned that a recently disclosed medium-severity security flaw impacting PAN-OS and Prisma Access has come under active exploitation in the wild. The vulnerability, tracked as CVE-2026-0257 (CVSS score: 7.8), refers to a case of authentication bypass that could be exploited by bad actors to set up VPN connections. "Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allow the attacker to bypass security restrictions and establish an unauthorized VPN connection," Palo Alto Networks said in an advisory released on May 13, 2026. The issue specifically affects firewalls with GlobalProtect portal or gateway configured when authentication override cookies are enabled and a specific certificate configuration exists, the network security company said. In an update to its advisory on May 29, 2026, Palo Alto Networks said it has "become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied. The development comes after Rapid7 revealed it identified successful exploitation across numerous customers, with the earliest efforts dating back to May 17, 2026, followed by a second wave on May 21. Both the exploitation sets are assessed to be the work of the same threat actor. The activity observed in the second wave involved VPN IP assignment following the cookie authentication in two cases, granting the attacker access to the internal network. No follow-on activity in the customer environments where a VPN session was established, the cybersecurity vendor added. "An authentication bypass in an edge facing enterprise VPN appliance can have significant impact to affected organizations," Rapid7 said. "As such, organizations running affected appliances are urged to upgrade to a vendor supplied patch on an urgent basis." As temporary mitigations, it's recommended to either disable the authentication override feature or generate a new certificate to use exclusively for the authentication override feature. The exploitation of CVE-2026-0257 follows a report from Arctic Wolf about the continued weaponization of a critical, now-patched security flaw impacting FortiClient Endpoint Management Server (EMS) deployments (CVE-2026-35616, CVSS score: 9.1) to deliver credential-stealing malware called EKZ Infostealer. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Authentication bypass, cybersecurity, network security, Palo Alto Networks, PAN-OS, VPN Security, Vulnerability ⚡ Top Stories This Week GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos The New Phishing Click: How OAuth Consent Bypasses MFA MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit Microsoft Warns of Two Actively Exploited Defender Vulnerabilities Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws 9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More Developer Workstations Are Now Part of the Software Supply Chain Load More ▼ ⭐ Featured Resources Discover How to Navigate the Era of Constant Cyber Exposure [Guide] Learn to Detect AI Typosquatting Risks in Your Domain [Guide] Get Key Identity Security Insights From 2026 Snapshot Claim ANY.RUN Anniversary Offer for Faster Malware Analysis
    💬 Team Notes
    Article Info
    Source
    The Hacker News
    Category
    ◇ Industry News & Leadership
    Published
    May 30, 2026
    Archived
    May 30, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗