Palo Alto GlobalProtect VPN auth bypass flaw now exploited in assaults

Palo Alto Networks is caution that hackers at the moment are exploiting a PAN-OS GlobalProtect authentication bypass flaw, tracked as CVE-2026-0257, in assaults making an attempt to breach company networks.

The corporate mounted the CVE-2026-0257 flaw previous this month, caution that it may well be used to ascertain unauthorized VPN connections at the tool.

“GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® instrument lets in the attacker to avoid safety restrictions and identify an unauthorized VPN connection,” reads Palo Alto’s advisory.

The flaw gained a Medium severity ranking as it calls for units to be configured with authentication override cookies enabled and a selected certificates configuration.

Then again, on Friday, Palo Alto Networks up to date the advisory to warn that the flaw was once now being actively exploited in assaults in opposition to unpatched units, elevating the severity ranking to Prime.

“Palo Alto Networks has turn out to be conscious about restricted exploit makes an attempt on unpatched PAN-OS units with out mitigations carried out,” reads the replace.

This replace comes after Rapid7 warned that it had seen the flaw being exploited in opposition to a large number of shoppers beginning on Might 17.

“Rapid7 MDR known a hit exploitation throughout a large number of shoppers, on the other hand we didn’t follow any indication of a hit lateral motion from the units. The earliest date for seen exploitation was once Might 17, 2026,” explains Rapid7.

“As of Might 29, 2026,  this vulnerability has been added to the CISA KEV.”

In keeping with Rapid7, the assaults started with hackers authenticating to GlobalProtect gateways the usage of cast authentication override cookies that focused the native administrator account.

The corporate first seen exploitation on Might 18 from infrastructure hosted via Vultr, with a 2d wave of assaults detected on Might 21 originating from Dromatics Techniques.

In some instances, attackers have been in a position to hook up with the tool by the use of VPN the usage of cast cookies, granting them get entry to to interior networks. Then again, Rapid7 says that during many incidents, even supposing the application authorised the solid cookie, they have been not able to ascertain a complete VPN consultation.

Rapid7’s investigation into affected shoppers discovered that the impacted units had GlobalProtect authentication override cookies enabled and have been configured in some way that allowed attackers to forge legitimate authentication cookies.

The researchers say the flaw stems from PAN-OS’s validation of authentication override cookies.

A GlobalProtect VPN tool decrypts all these cookies the usage of a configured non-public key after which trusts the decrypted contents with out acting any signature verification.

If the similar certificates is reused for each HTTPS products and services and authentication override cookies, attackers can download the corresponding public key by the use of the HTTPS consultation after which use it to create cast cookies that the tool will settle for as official.

Rapid7 evolved a proof-of-concept exploit that demonstrates how an attacker can retrieve the general public certificate uncovered via a GlobalProtect portal or gateway, generate a cast authentication override cookie for an arbitrary person, and authenticate with out realizing legitimate credentials. The usage of this PoC, the researchers effectively authenticated to an unpatched GlobalProtect gateway.

Organizations the usage of GlobalProtect VPN units will have to instantly set up the most recent safety updates to patch the failings.

Admins too can mitigate the flaw via turning off the authentication override function or using a distinct certificates for this option and now not sharing it with different products and services at the tool.

CISA has now added the flaw to its Recognized Exploited Vulnerability catalog, ordering federal companies to mitigate the flaw via June 1, 2026.