Researchers and cybersecurity professionals are urgently addressing an actively exploited authentication-bypass vulnerability impacting Palo Alto Networks firewalls. The flaw, initially rated medium severity by the vendor, was quickly escalated to critical following observed exploitation and inclusion in a government cybersecurity directive.
Palo Alto Networks disclosed the vulnerability, identified as CVE-2026-0257, on May 13. By May 17, researchers at Rapid7 observed and confirmed its active exploitation in the wild. The Cybersecurity and Infrastructure Security Agency (CISA) subsequently added the flaw to its catalog of known exploited vulnerabilities, highlighting the immediate threat to government networks.
Exploitation of Palo Alto Networks Firewall Vulnerability
The critical authentication-bypass vulnerability allows remote attackers to circumvent security controls and establish a virtual private network (VPN) connection to affected firewalls. Palo Alto Networks has confirmed limited exploitation attempts targeting unpatched devices where security mitigations have not been applied.
“Palo Alto Networks is actively monitoring limited exploitation attempts targeting CVE-2026-0257 on unpatched PAN-OS devices where mitigations have not been applied,” a company spokesperson stated. The vendor has urged all customers to apply provided patches or implement recommended mitigation steps without delay.
Details of the Vulnerability and Exploitation
The vulnerability specifically affects Palo Alto Networks firewalls running PAN-OS when configured with GlobalProtect portal or gateway features that enable authentication override cookies. According to cybersecurity researchers, the exploit is surprisingly simple, requiring only a single HTTP request.
“The entire exploit is a single HTTP request,” said Jake Knott, a security researcher at watchTowr. “An attacker can forge a valid authentication cookie using nothing more than the appliance’s publicly available TLS certificate.” This method bypasses the primary security function of the firewall.
The exploit relies on the cookie encryption and decryption certificate being reused with another feature, which can expose the public key for that certificate. Caitlin Condon, vice president of security research at VulnCheck, noted that while specific configurations are required, the widespread use of Palo Alto Networks firewalls means a significant attack surface may exist.
Rapid7 reported observing exploitation in multiple waves, indicating sustained malicious activity. Douglas McKee, director of vulnerability intelligence at Rapid7, stated, “We’ve continued to see new victims roll in, including a couple of customers hit within just an hour of each other during a second wave of activity.” The attackers appear opportunistic, capitalizing on vulnerabilities that might be lower priority for some organizations.
While the exact number of impacted organizations remains undisclosed, the attackers’ focus seems to be on gaining initial access rather than conducting long-term espionage. “Their exact origins and long-term objectives remain unclear, as they currently seem focused purely on opportunistic initial access rather than targeted, long-term espionage,” McKee added.
Urgency for Patching and Mitigation
The rapid escalation from a medium to critical rating underscores the dynamic nature of cybersecurity threats. This event highlights a recurring trend where attackers target edge network devices, swiftly developing and weaponizing exploits for initial access.
“This is a pattern we continue to see — the urgency only arrives after exploitation is underway,” Knott observed. He stressed the importance of proactive patching, warning that “Organizations that wait for confirmation of active exploitation before patching will consistently find themselves reacting too late.”
Palo Alto Networks discovered the vulnerability internally, utilizing advanced AI tools. However, the speed at which it was weaponized and exploited demonstrated the agility of threat actors in leveraging publicly disclosed information.
The next steps involve continued monitoring by Palo Alto Networks and cybersecurity agencies for further exploitation attempts. Organizations with affected firewall configurations are advised to apply the latest security patches or implement the vendor’s recommended mitigation strategies immediately to prevent potential compromise.