Palo Alto Networks has issued a critical alert regarding CVE-2026-0257, a medium-severity authentication bypass vulnerability in its PAN-OS software and Prisma Access platform. The company confirmed on May 30, 2026, that this flaw is actively being exploited in the wild, allowing threat actors to bypass security controls and establish unauthorized VPN connections. Organizations using affected systems are urged to implement immediate security measures.
The exploited vulnerability, officially designated CVE-2026-0257 with a CVSS score of 7.8, specifically targets the GlobalProtect portal and gateway features within PAN-OS. Palo Alto Networks stated in an advisory that the exploit enables attackers to circumvent security restrictions and initiate unauthorized VPN sessions, posing a significant risk to network integrity. The company has acknowledged limited exploit attempts on unpatched devices without applied mitigations.
Active Exploitation of PAN-OS Authentication Bypass
The active exploitation of CVE-2026-0257 was first highlighted by Rapid7, a cybersecurity firm that observed successful attacks against numerous customers. Their analysis indicates that the earliest exploitation attempts date back to May 17, 2026, followed by a second wave on May 21. Rapid7 assesses that the same threat actor is likely responsible for both sets of observed activities. The nature of the second wave included the assignment of VPN IP addresses post-cookie authentication, granting attackers access to internal networks in at least two confirmed instances. Importantly, Rapid7 reported no observed follow-on activities in the compromised customer environments after the VPN sessions were established.
The implications of an authentication bypass in an edge-facing enterprise VPN appliance are considerable, as stated by Rapid7. Such vulnerabilities can grant unauthorized access to sensitive internal resources, potentially leading to data breaches, malware deployment, or further network compromise. Consequently, organizations operating affected appliances are strongly advised to upgrade to a vendor-provided patch as a matter of urgency.
Scope and Affected Configurations
According to Palo Alto Networks, the vulnerability exclusively affects firewalls configured with either a GlobalProtect portal or gateway. The exploit is conditional on two specific configurations being present: the authentication override cookies being enabled and a particular certificate configuration being in place. These specific parameters create the window for the authentication bypass to occur, enabling the unauthorized VPN connection.
In addition to the recommendation to apply vendor patches, Palo Alto Networks has provided temporary mitigations for organizations unable to patch immediately. These include disabling the authentication override feature entirely or generating a new certificate specifically for use with the authentication override feature. Implementing these temporary measures can help reduce the attack surface while patches are being deployed.
This recent wave of exploitation for CVE-2026-0257 comes on the heels of other significant cybersecurity threats. For instance, Arctic Wolf recently reported on the continued weaponization of a critical, though now patched, vulnerability in FortiClient Endpoint Management Server (EMS) deployments (CVE-2026-35616). That vulnerability was being leveraged to deliver the EKZ Infostealer, a malware designed for credential theft, highlighting an ongoing trend of adversaries actively exploiting previously identified security weaknesses.
The current focus remains on the active exploitation of the PAN-OS CVE-2026-0257 vulnerability. Organizations are urged to assess their configurations for the presence of GlobalProtect portals or gateways with enabled authentication overrides and specific certificate setups. The immediate application of vendor patches or the implementation of the temporary mitigations are the critical next steps to protect against unauthorized network access. The cybersecurity community will be monitoring for any further activity or updates from Palo Alto Networks and other security researchers regarding this evolving threat.