Active Exploitation of High-Severity Vulnerability in PAN-OS Software: A Warning for Users
A renowned security vendor has raised alarms about the active exploitation of a critical vulnerability within its software, which was previously patched last month. The vulnerability, identified as CVE-2026-0257, poses significant risks to users of Palo Alto Networks’ PAN-OS, particularly affecting the GlobalProtect portal and gateway. Security experts are urging immediate action from organizations that utilize this software, as the threat landscape evolves and attackers are demonstrating increasingly sophisticated tactics.
CVE-2026-0257 is classified as an authentication bypass vulnerability. This critical flaw allows attackers to bypass essential security measures, potentially enabling them to establish unauthorized VPN connections. Given the nature of the issue, the implications could be severe, particularly for businesses that rely on secure remote access to their networks for daily operations. The vulnerability has a Common Vulnerability Scoring System (CVSS) score of 7.8, categorizing it as high severity.
Palo Alto Networks confirmed that an update addressing the vulnerability was released on May 13. However, recent communications have indicated that the company has become aware of limited attempts to exploit unpatched PAN-OS devices lacking adequate mitigations. The shift in severity rating from medium to high was made possible due to multiple exploitation attempts reported in recent days, garnering attention from security professionals worldwide.
Rapid7, a cybersecurity firm, has classified this vulnerability as critical, emphasizing that it has been exploited in two distinct waves identified around May 18 and May 21. The firm posits that these exploitation efforts are likely linked to the same actor or group of actors. The ramifications of an authentication bypass particularly on edge-facing VPN appliances are deemed significantly impactful for enterprise customers.
They detailed how attackers could exploit this vulnerability by manipulating authentication cookies. Rapid7 observed instances where VPN IP assignments occurred following cookie authentication, consequently granting attackers access to internal networks. This alarming discovery raises concerns about how extensive the vulnerability’s exploitation could become, particularly since Rapid7 cannot ascertain why VPN assignments were successful for only a subset of affected customers.
In their exploration of the issue, Rapid7 documented successful exploitations across multiple clients, with attackers utilizing forged authentication cookies. Strikingly, in 8 out of 10 monitored customers, the appliance accepted the malicious cookies without establishing a full VPN session, a situation that could have dire consequences if left unaddressed.
To safeguard against potential exploits, GlobalProtect VPN users are being urged to patch their systems immediately. In cases where immediate patching is unattainable, Palo Alto Networks has provided two alternative mitigation strategies. These include disabling the authentication override settings in the GlobalProtect portal and gateway configuration or generating a new certificate specifically for authentication override cookies—an approach that requires secure storage and should not involve sharing among multiple users.
The urgency of addressing this vulnerability has not gone unnoticed by U.S. governmental authorities. The Cybersecurity and Infrastructure Security Agency (CISA) has included CVE-2026-0257 in its Known Exploited Vulnerabilities (KEV) Catalog. The inclusion mandates that federal civilian agencies must implement necessary patches by the deadline of June 1. Such regulatory actions underscore the critical nature of the vulnerability and the potential risks not only to individual organizations but also to larger networks containing sensitive governmental information.
The situation has brought to light wider discussions regarding the importance of timely software patches, robust authentication methods, and vigilant monitoring of network activity. As cyber threats continue to evolve, organizations must remain proactive in their cybersecurity measures to mitigate risks. The active exploitation of vulnerabilities like CVE-2026-0257 serves as a stark reminder of the need for continuous awareness and a commitment to cybersecurity excellence in an increasingly perilous digital landscape.