Organizations using Palo Alto Networks firewalls are required to take immediate action after a recently disclosed security vulnerability in PAN-OS GlobalProtect was found to be actively exploited by threat actors. The flaw, tracked as CVE-2026-0257, allows attackers to bypass authentication controls and establish unauthorized VPN connections, potentially exposing internal corporate networks to unauthorized access.
The vulnerability affects both Palo Alto Networks PAN-OS and Prisma Access environments and has already been observed in real-world attacks targeting unpatched systems.
CVE-2026-0257 is an authentication bypass vulnerability with a CVSS score of 7.8. According to Palo Alto Networks, the flaw exists within the GlobalProtect portal and gateway components of PAN-OS software.
The security issue allows attackers to bypass normal authentication requirements and create unauthorized VPN sessions. As a result, cybercriminals may gain network access without providing valid credentials, significantly increasing the risk of network compromise.
Palo Alto Networks explained that the vulnerability impacts firewalls where GlobalProtect portal or gateway functionality is enabled, authentication override cookies are in use, and a specific certificate configuration exists. When these conditions are met, attackers can exploit the weakness to circumvent security restrictions and gain access to protected resources.
The threat has become more serious after Palo Alto Networks confirmed that exploitation attempts are already occurring against vulnerable devices.
In an update released on May 29, 2026, the company stated that it had become aware of limited exploitation attempts targeting organizations running unpatched PAN-OS systems without appropriate mitigations in place.
This confirmation means the vulnerability has moved beyond a theoretical risk and is now being actively weaponized by attackers. Security teams should treat the flaw as a high-priority issue and deploy fixes immediately.
Additional details about the attacks were provided by cybersecurity firm Rapid7, which observed successful exploitation attempts across multiple customer environments.
According to the company, the earliest attack activity was detected on May 17, 2026. A second wave of attacks followed on May 21, 2026. Security researchers believe that both attack campaigns were conducted by the same threat actor or threat group.
During the second wave of exploitation, attackers were observed successfully obtaining VPN IP assignments after bypassing authentication controls. In at least two cases, this granted access to the victims’ internal networks.
While Rapid7 did not observe further malicious activity after network access was established, the company warned that the ability to gain unauthorized VPN access represents a significant security risk. Attackers who obtain such access could potentially move laterally through networks, access sensitive systems, or deploy additional malware.
Rapid7 emphasized that organizations should not assume they are safe simply because no follow-up activity has been detected. Unauthorized access itself is a serious security incident that requires immediate attention.
Enterprise VPN gateways are often exposed directly to the internet, making them attractive targets for cybercriminals and nation-state actors.
When attackers successfully exploit an authentication bypass vulnerability in a VPN appliance, they can potentially:
- Gain unauthorized access to internal corporate networks
- Bypass traditional login security controls
- Access sensitive business resources
- Launch lateral movement attacks
- Conduct reconnaissance activities
- Prepare the environment for future cyberattacks
Because GlobalProtect is widely deployed by businesses, government agencies, and critical infrastructure organizations, exploitation of this vulnerability could have widespread consequences.
Palo Alto Networks has released security updates to address CVE-2026-0257 and strongly recommends that affected customers apply the available patches as soon as possible.
For organizations unable to immediately deploy updates, the company has suggested temporary mitigation measures, including:
- Disabling the authentication override feature
- Generating and using a new certificate exclusively for authentication override functionality
While these mitigations can reduce the risk of exploitation, applying the vendor-provided patch remains the most effective protection.
Security teams should also review VPN logs and authentication records for unusual activity that may indicate previous exploitation attempts.
The exploitation of CVE-2026-0257 highlights a continuing trend of attackers targeting internet-facing security appliances.
VPN gateways, firewalls, and remote access solutions have become frequent targets because they often serve as entry points into corporate environments. Over the past several years, threat actors have repeatedly exploited vulnerabilities in security products from major vendors to gain initial access to enterprise networks.
The latest development comes shortly after cybersecurity researchers reported continued exploitation of another critical vulnerability, CVE-2026-35616, affecting FortiClient Endpoint Management Server (EMS). That flaw has been used to deploy the EKZ Infostealer malware, which is designed to steal sensitive credentials from compromised systems.
These incidents demonstrate how quickly cybercriminals weaponize newly disclosed vulnerabilities and why organizations must prioritize timely patch management.
Further underscoring the seriousness of the issue, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) Catalog.
Inclusion in the KEV catalog indicates that reliable evidence of active exploitation exists. Federal Civilian Executive Branch (FCEB) agencies have been instructed to remediate the vulnerability by June 1, 2026.
When CISA adds a vulnerability to the KEV catalog, it often signals that organizations across both public and private sectors should prioritize remediation efforts immediately.
The active exploitation of CVE-2026-0257 serves as another reminder that internet-facing security appliances remain prime targets for cybercriminals. Organizations using Palo Alto Networks PAN-OS GlobalProtect should urgently assess their exposure, apply available security patches, and implement recommended mitigations where necessary.
With attackers already exploiting vulnerable systems, delaying remediation could provide threat actors with an opportunity to gain unauthorized access to critical networks. Security teams should treat this vulnerability as a high-priority threat and take immediate action to protect their environments.
Interesting Article : FortiClient EMS Vulnerability Used to Spread Malware Across Enterprise Networks