Palo Alto Networks warns that attackers are exploiting an authentication bypass flaw in PAN-OS GlobalProtect VPN devices, tracked as CVE-2026-0257, to breach corporate networks after observed exploitation began May 17. The flaw enables unauthorized VPN connections on devices configured with authentication override cookies enabled and specific certificate settings, initially receiving a Medium rating that Palo Alto raised to High following active exploitation. Rapid7 observed attackers using forged authentication override cookies targeting the local administrator account, with attacks originating from Vultr-hosted infrastructure and Dromatics Systems.
The vulnerability stems from PAN-OS decrypting authentication override cookies using a configured private key without performing signature verification, allowing attackers who obtain the public key via HTTPS sessions to forge valid cookies. Rapid7 developed a proof-of-concept showing attackers can retrieve public certificates, generate forged cookies for arbitrary users, and authenticate without valid credentials. Some attackers successfully established full VPN sessions granting internal network access, while others could not complete connections despite accepted forged cookies.
CISA added the flaw to its Known Exploited Vulnerabilities catalog, ordering federal agencies to mitigate by June 1, 2026. Organizations are advised to install the latest security updates, disable authentication override features, or use separate certificates not shared with other device services. The earliest observed exploitation occurred May 17, with successful authentication demonstrated across numerous customer environments. The flaw affects devices with specific certificate reuse configurations between HTTPS services and authentication override cookies.
Read more...