Palo Alto Networks customers are facing an urgent security scramble after researchers confirmed that attackers are actively exploiting a vulnerability in the company's GlobalProtect VPN. The flaw, tracked as CVE-2026-0257, affects PAN-OS deployments that utilize GlobalProtect authentication override cookies under specific configurations.
According to analysis from Rapid7, the vulnerability allows unauthorized actors to bypass authentication protocols and gain entry into internal corporate networks. The flaw stems from how PAN-OS trusts authentication override cookies; in certain deployments, attackers can forge their own cookies and trick the firewall into accepting them as legitimate. The risk is particularly acute for organizations that use the same certificate for both HTTPS services and authentication override cookies, as this provides attackers with the information necessary to generate convincing fakes.
Palo Alto Networks initially disclosed the vulnerability on May 13. At the time of disclosure, the vendor assigned the bug a medium-severity rating, stating it was aware of potential exploitation attempts but had not observed any confirmed malicious activity in the wild. This assessment has since been revised following evidence of successful attacks.
Security researchers at Rapid7 reported that they observed successful exploitation of the vulnerability across multiple customer environments dating back to at least May 17. The firm validated the attack technique using its own proof-of-concept testing, confirming that attackers were able to establish unauthorized VPN sessions on vulnerable systems. This unauthorized access potentially grants hackers entry into internal corporate networks without the need for legitimate credentials.
In a recent update to its advisory, Palo Alto Networks acknowledged the shift in the threat landscape, stating, "Palo Alto Networks has become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied." The vendor is now urging all affected customers to prioritize the application of security patches to prevent further unauthorized access.
This incident follows a separate security crisis last month, during which state-backed actors targeted a critical remote code execution flaw in the PAN-OS User-ID Authentication Portal. As a result of the active exploitation of CVE-2026-0257, security teams are being advised to treat the vulnerability as a high-priority risk. Organizations currently running vulnerable GlobalProtect gateways are directed to apply vendor-provided patches immediately to mitigate the risk of ongoing malicious activity.
