GoKawiilPalo Alto Networks is warning that hackers are now exploiting a PAN-OS GlobalProtect authentication bypass flaw, tracked as CVE-2026-0257, in attacks attempting to breach corporate networks.
The company fixed the CVE-2026-0257 flaw earlier this month, warning that it could be used to establish unauthorized VPN connections on the device.
"GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection," reads Palo Alto's advisory.
The flaw received a Medium severity rating because it requires devices to be configured with authentication override cookies enabled and a specific certificate configuration.
However, on Friday, Palo Alto Networks updated the advisory to warn that the flaw was now being actively exploited in attacks against unpatched devices, raising the severity rating to High.
"Palo Alto Networks has become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied," reads the update.
This update comes after Rapid7 warned that it had observed the flaw being exploited against numerous customers starting on May 17.
"Rapid7 MDR identified successful exploitation across numerous customers, however we did not observe any indication of successful lateral movement from the devices. The earliest date for observed exploitation was May 17, 2026," explains Rapid7.
"As of May 29, 2026, this vulnerability has been added to the CISA KEV."
According to Rapid7, the attacks began with hackers authenticating to GlobalProtect gateways using forged authentication override cookies that targeted the local administrator account.
... continue reading