Palo Alto VPN Vulnerability Exploited in Real-World Attacks, Urgent Patch Application Needed

A critical authentication bypass vulnerability in the VPN product “GlobalProtect,” provided by Palo Alto Networks, a leading company in enterprise network security, has been confirmed to be exploited by attackers. The discovery was made through investigations by security firm Rapid7, which has elevated the threat level initially deemed “moderate” to the highest urgency level.

Updated Threat Assessment

This vulnerability, tracked as “CVE-2026-0257,” affects PAN-OS environments that use GlobalProtect authentication override cookies under specific configurations. Palo Alto Networks disclosed this issue on May 13, initially categorizing the threat level as “moderate,” stating they were aware of attempts to exploit it but had not observed any successful malicious attacks.

However, this initial assessment was quickly overturned. Rapid7 security researchers reported observing real-world exploitation of this vulnerability in multiple customer environments starting May 17. The firm also conducted proof-of-concept (PoC) tests, verifying the effectiveness of the attack methods.

Attack Mechanism and Specific Threats

According to Rapid7’s analysis, the core issue lies in how PAN-OS trusts authentication override cookies. In specific deployments, attackers could potentially create their own cookies, tricking the firewall into accepting them as legitimate.

High-risk configurations include those where the same certificate is used for both HTTPS services and authentication override cookies. In such cases, attackers can access the necessary information to generate convincing fake cookies.

Rapid7 has observed multiple waves of attacks targeting vulnerable devices. In some instances, cybercriminals successfully obtained VPN IP addresses and network access. However, in the incidents Rapid7 investigated, there was no evidence of lateral movement within networks after initial access was achieved.

Nevertheless, the potential for attackers to establish unauthorized VPN sessions within corporate networks and access internal resources without valid credentials poses a severe threat to organizations.

Urgent Response and Industry Impact

In response to this situation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-0257 to its “Known Exploited Vulnerabilities” catalog. This mandates federal agencies to patch affected systems or implement protective measures by June 1.

Palo Alto Networks has also revised its advisory, increasing the severity rating of this vulnerability and assigning it the highest urgency label. Fixes are available for supported releases.

In a statement, the company emphasized, “Palo Alto Networks recognizes limited exploitation attempts against unpatched PAN-OS devices where mitigation measures have not been applied,” urging users to take swift action.

Repeated Emergencies and Security Preparedness

This emergence of a PAN-OS vulnerability marks the second critical incident for the company within the same month. In May, a state-sponsored attacker group was found exploiting a severe remote code execution vulnerability (CVE-2026-0300) in PAN-OS’s User-ID authentication portal before a widely available patch was released.

The rapid succession of emergencies underscores the importance of firewall and VPN gateway security as critical components of enterprise boundary defenses. The time lag between vulnerability disclosure and exploitation, as well as delays in patch application, creates a “golden window” for attackers.

Security teams must proactively assess their configurations and preemptively evaluate risks rather than waiting for vendor warnings. In this case, the reuse of specific certificates amplified risks, reaffirming the need for adherence to basic security principles in design.

Organizations using Palo Alto Networks products should immediately verify if their versions are affected and apply official fixes as quickly as possible. For situations where patching is challenging, implementing vendor-recommended mitigation measures is essential.

Cyberattacks are continually evolving, and defensive responses must be just as agile. This incident serves as a stark reminder that even security products can become targets, and accurately assessing the severity of vulnerabilities ahead of time is often challenging.