Palo Alto Networks said a medium-severity authentication bypass in PAN-OS and Prisma Access, tracked as CVE-2026-0257, is being actively exploited in the wild, with the company warning on May 29 that limited attempts were seen against unpatched devices without mitigations.
KEY FACTS
- Flaw Authentication bypass in GlobalProtect portal and gateway
- Severity CVSS score of 7.8
- Condition Affected systems use authentication override cookies and a specific certificate setup
- Impact Attackers can establish unauthorized VPN connections
The advisory said the issue affects firewalls with GlobalProtect portal or gateway configured when authentication override cookies are enabled and a specific certificate configuration exists. Palo Alto Networks first disclosed the flaw in a vendor advisory on May 13.
Rapid7 said it observed successful exploitation across numerous customers, with activity dating to May 17 and a second wave on May 21. The company said both sets of exploitation appear to involve the same threat actor.
In the second wave, the attacker obtained VPN IP assignment after cookie authentication in two cases, which granted access to internal networks. Rapid7 said it saw no follow-on activity in the affected environments where a VPN session was established.
As temporary mitigations, the vendor recommended disabling the authentication override feature or generating a new certificate used only for that feature. It also urged customers to apply the patch on an urgent basis.
WHY IT MATTERS
The flaw affects an edge-facing VPN product that can provide direct access to internal networks, which can increase the potential impact of successful exploitation. The report also comes as organizations continue to deal with active abuse of other patched enterprise security flaws.