Hackers Actively Exploiting Palo Alto GlobalProtect VPN Flaw to Breach Corporate Networks

Palo Alto VPN Authentication Bypass Flaw Actively Exploited in Attacks

Palo Alto Networks has warned that threat actors are actively exploiting a vulnerability in its PAN-OS GlobalProtect VPN software, tracked as CVE-2026-0257, to gain unauthorized access to corporate networks.

The flaw, which was patched earlier this month, allows attackers to bypass security controls and establish unauthorized VPN connections. Initially rated as a medium-severity issue due to specific configuration requirements, the vulnerability’s severity has now been raised to high after evidence emerged that it is being exploited in real-world attacks.

According to Palo Alto Networks, exploitation attempts have been observed against unpatched PAN-OS devices that lack recommended mitigations. The warning follows findings from cybersecurity firm Rapid7, which reported successful exploitation across multiple customer environments beginning on May 17, 2026.

Rapid7 said attackers used forged GlobalProtect authentication override cookies to impersonate local administrator accounts. The first wave of attacks originated from infrastructure hosted by Vultr, while a second wave was traced to Dromatics Systems.

In several cases, attackers successfully connected to vulnerable devices through VPN access, potentially gaining entry to internal corporate networks. However, Rapid7 noted that some attacks failed to establish complete VPN sessions despite the forged authentication cookies being accepted.

The vulnerability affects systems where GlobalProtect authentication override cookies are enabled and configured in a manner that allows attackers to forge valid authentication tokens.

Researchers explained that the issue stems from how PAN-OS validates authentication override cookies. The device decrypts the cookie using a private key and trusts the contents without verifying a digital signature. If the same certificate is used for both HTTPS services and authentication override cookies, attackers can obtain the public certificate through the HTTPS service and use it to generate forged cookies that the system accepts as legitimate.

Rapid7 developed a proof-of-concept exploit demonstrating how attackers could retrieve public certificates from a GlobalProtect portal, create forged authentication cookies for any user, and authenticate without valid credentials. The researchers successfully used the exploit to access an unpatched GlobalProtect gateway.

The vulnerability has now been added to CISA’s Known Exploited Vulnerabilities (KEV) catalog, highlighting the urgent need for organizations to address the issue.

Security experts recommend that organizations immediately install the latest PAN-OS updates. As an additional safeguard, administrators can disable the authentication override feature or use a dedicated certificate for authentication override cookies that is not shared with other services on the device.