Palo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks

Palo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks By Lawrence Abrams May 30, 2026 02:02 PM 0 Palo Alto Networks is warning that hackers are now exploiting a PAN-OS GlobalProtect authentication bypass flaw, tracked as CVE-2026-0257, in attacks attempting to breach corporate networks. The company fixed the  CVE-2026-0257 flaw earlier this month, warning that it could be used to establish unauthorized VPN connections on the device. "GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection," reads Palo Alto's advisory . The flaw received a Medium severity rating because it requires devices to be configured with authentication override cookies enabled and a specific certificate configuration. However, on Friday, Palo Alto Networks updated the advisory to warn that the flaw was now being actively exploited in attacks against unpatched devices, raising the severity rating to High. "Palo Alto Networks has become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied," reads the update. This update comes after Rapid7 warned that it had observed the flaw being exploited against numerous customers starting on May 17. "Rapid7 MDR identified successful exploitation across numerous customers, however we did not observe any indication of successful lateral movement from the devices. The earliest date for observed exploitation was May 17, 2026," explains Rapid7 . "As of May 29, 2026,  this vulnerability has been added to the CISA KEV." According to Rapid7, the attacks began with hackers authenticating to GlobalProtect gateways using forged authentication override cookies that targeted the local administrator account. The company first observed exploitation on May 18 from infrastructure hosted by Vultr, with a second wave of attacks detected on May 21 originating from Dromatics Systems. In