Patch Now: Another Palo Alto Auth Bypass Bug Under Active Exploit
Dark ReadingArchived Jun 01, 2026✓ Full text saved
Exploiting the PAN-OS GlobalProtect VPN vulnerability requires certain conditions, but adversaries have done so in two attack waves that started in mid-May.
Full text archived locally
✦ AI Summary· Claude Sonnet
THREAT INTELLIGENCE
VULNERABILITIES & THREATS
PERIMETER
CYBERSECURITY OPERATIONS
NEWS
Patch Now: Another Palo Alto Auth Bypass Bug Under Active Exploit
Exploiting the PAN-OS GlobalProtect VPN vulnerability requires certain conditions, but adversaries have done so in two attack waves that started in mid-May.
Elizabeth Montalbano,Contributing Writer
June 1, 2026
4 Min Read
SOURCE: SERGEY TARASOV VIA ALAMY STOCK PHOTO
Attackers are exploiting a security vulnerability in Palo Alto Networks' PAN-OS GlobalProtect VPN technology that allows them to bypass authentication and gain VPN access without valid credentials.
In May, Palo Alto Networks (PAN) disclosed and fixed the flaw, tracked as CVE-2026-0257, but it updated the advisory last week to note that there have been "limited exploit attempts on unpatched PAN-OS devices without mitigations applied."
That update came on the heels of research from Rapid7 that identified successful exploitation "across numerous customers" as early as May 17, according to a report, also published last week. And on May 29, the Cybersecurity and Infrastructure Security Agency (CISA) also added the flaw to its Known Exploited Vulnerabilities (KEV) catalog.
The bug affects the GlobalProtect portal and gateway for the PAN-OS software across various versions, which are listed in the advisory. An internal researcher at the company discovered the flaw, which received an initial CVSS score of 7.8 that rated it of "medium" severity, since it requires firewalls with the GlobalProtect portal or gateway configured to have both authentication override cookies enabled and a specific certificate configuration. But that hasn't stopped cyberattackers.
Related:'The Com' Cyberattacks Support Violence & Sexploitation
Treat the CVE-2026-0257 Issue as 'Critical'
Researchers at Rapid7 are urging organizations to treat the flaw as a critical vulnerability, not only because it is under active exploit, but because "an authentication bypass in an edge facing enterprise VPN appliance can have significant impact to affected organizations," according to the report.
"As such, organizations running affected appliances are urged to upgrade to a vendor-supplied patch on an urgent basis," according to Rapid7's alert, which added that, so far, its researchers "did not observe any indication of successful lateral movement from the devices."
What they have observed are successful attacks across multiple customer environments. In many cases, attackers used forged authentication cookies to impersonate legitimate users and authenticate to GlobalProtect gateways. Following the initial attacks, there was a second wave of activity on May 21, with evidence that some attackers were assigned VPN addresses and gained internal network access.
How the PAN VPN Exploit Occurs
The issue lies in a feature called "authentication override," which allows a GlobalProtect portal or gateway to issue cookies to an authenticated user. "The authenticated user can then use an authentication override cookie in future communications to the GlobalProtect portal or gateway in lieu of re-authenticating via credentials, akin to a bearer token," according to Rapid7.
Related:AI-Assisted Exploit Development Outpaces Scanner Detection
But, it's not enabled by default. And, the vulnerability requires a certain configuration in how certificates are used to encrypt and decrypt these authentication override cookies — specifically, certificates used to encrypt and decrypt authentication override cookies must not be the same certificate used for the GlobalProtect portal or gateway’s HTTPS service.
However, Rapid7's analysis found that, under certain configurations, the system trusts decrypted cookies without verifying their authenticity. If administrators reuse the same certificate for both HTTPS services and cookie encryption, attackers can obtain the certificate's public key and generate forged cookies that PAN's VPN gateway accepts as valid, according to researchers.
Rapid7 developed a proof-of-concept (PoC) tool that successfully demonstrated the attack, showing that a forged cookie could be accepted by vulnerable GlobalProtect gateways and used to establish authenticated sessions.
Apply Cybersecurity Mitigations Now
Because its security technology stands in the way of attackers accessing the corporate network, security bugs in Palo Alto Networks technology often come under attack. Earlier this year, threat actors targeted a separate authentication-bypass flaw found in PAN-OS software that allows an unauthenticated attacker to invoke certain PHP scripts. CISA also advised organizations to patch that flaw, CVE-2025-0108, which when first identified was a zero-day.
Related:State Cyber Leaders Push Congress for More Funding, Support
In this case, it would be wise for customers affected by CVE-2026-0257 to apply PAN's fix as soon as possible, according to both PAN and Rapid7. If this is not possible, then they should use a dedicated certificate for authentication-override cookies, generating a new certificate exclusively for them and storing it securely, according to PAN. It's also important not to reuse the portal or gateway certificate, and to not share this certificate with other features or users, the company said.
To protect their networks, organizations also can disable authentication override entirely by unchecking all options for the feature, both for generating and accepting cookies, in the GlobalProtect portal and gateway configuration, according to PAN's guidance.
About the Author
Elizabeth Montalbano
Contributing Writer
Elizabeth Montalbano is freelance writer, editor, and journalist with 30 years of professional experience and a master's degree from Arizona State University. Her areas of expertise include enterprise technology, cybersecurity, business, and culture. During her long career, Elizabeth has lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City. She specializes in news coverage and analysis, using her years of experience to look at the current state of cybersecurity with a critical gaze. She currently resides in a village on the southwest coast of Portugal, where in her free time she enjoys surfing, hiking with her dogs, growing plants, and playing and performing as a singer and musician.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
Defending in the Shadow Era: When the CVE Feed Goes Dark
Building SecOps That Make the Most of Every Dollar
AI-Powered Credential Security: Intelligence Without Exposure
More Webinars
You May Also Like
THREAT INTELLIGENCE
Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish
by Jai Vijayan
MAR 17, 2026
THREAT INTELLIGENCE
Iran's Cyber-Kinetic War Doctrine Takes Shape
by Alexander Culafi
MAR 06, 2026
THREAT INTELLIGENCE
React2Shell Exploits Flood the Internet as Attacks Continue
by Rob Wright
DEC 12, 2025
THREAT INTELLIGENCE
Chinese Gov't Fronts Trick the West to Obtain Cyber Tech
by Nate Nelson, Contributing Writer
OCT 06, 2025
Editor's Choice
CYBERSECURITY OPERATIONS
20 Leaders Who Built the CISO Era: 2 Decades of Change
byDark Reading Editorial Team
MAY 12, 2026
41 MIN READ
APPLICATION SECURITY
It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight
byJai Vijayan
MAY 12, 2026
5 MIN READ
CYBERATTACKS & DATA BREACHES
Instructure Breach Exposes Schools' Vendor Dependence
byAlexander Culafi
MAY 6, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
Webinars
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
TUESDAY, JUNE 23, 2026 1:00 PM EDT
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
THURS, JUNE 25, 2026, AT 1PM EST
Defending in the Shadow Era: When the CVE Feed Goes Dark
TUES, JUNE 16, 2026 AT 1PM EST
Building SecOps That Make the Most of Every Dollar
THURS, JULY 9, 2026 AT 1PM EST
AI-Powered Credential Security: Intelligence Without Exposure
WED, JUNE 17, 2026, AT 1PM EST
More Webinars
BLACK HAT USA | MANDALAY BAY, LAS VEGAS
The premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.
GET YOUR PASS