Palo Alto Networks Warns of Real-World Exploitation Targeting Unpatched GlobalProtect Gateways

Published: May 30, 2026
Severity: High
CVE: CVE-2026-0257
CVSS Score: 7.8

Executive Summary

Attackers Are Actively Exploiting PAN-OS GlobalProtect Authentication Weakness

Palo Alto Networks has confirmed active exploitation attempts targeting a recently disclosed authentication bypass vulnerability affecting PAN-OS and Prisma Access environments.

The vulnerability, tracked as CVE-2026-0257, impacts GlobalProtect portal and gateway deployments under specific authentication override configurations. Attackers can exploit this weakness to bypass security restrictions and establish unauthorized VPN sessions inside enterprise environments.

Although the flaw carries a CVSS score of 7.8, the real-world impact is significantly higher because the vulnerability targets internet-facing VPN infrastructure commonly used for remote access.

Furthermore, security researchers observed successful exploitation attempts across multiple organizations, with attackers gaining VPN IP assignments and internal network access on vulnerable systems.

Organizations using GlobalProtect should therefore prioritize immediate remediation and apply temporary mitigations without delay.

Technical Details

Authentication Override Weakness Enables Unauthorized VPN Access

The vulnerability exists within PAN-OS GlobalProtect portal and gateway configurations when authentication override cookies remain enabled alongside a specific certificate configuration.

Under these conditions, attackers may bypass authentication controls and establish unauthorized VPN connections without valid credentials.

Exploitation Activity Confirmed in the Wild

Researchers Observed Multiple Real-World Intrusion Attempts

Rapid7 identified successful exploitation activity affecting multiple customer environments.

Researchers traced the earliest attacks back to May 17, 2026, followed by a second wave of attacks beginning on May 21, 2026.

Additionally, investigators believe the same threat actor conducted both attack campaigns.

During several incidents, attackers successfully obtained VPN IP assignments after bypassing authentication protections. Consequently, attackers gained access to internal enterprise networks.

Although researchers did not observe additional malicious activity after VPN access in those environments, organizations should still treat any unauthorized VPN session as a critical security incident.

Affected Systems

Vulnerable GlobalProtect Deployments Require Immediate Attention

The vulnerability affects:

• PAN-OS firewalls
• Prisma Access environments
• Systems running GlobalProtect portal or gateway services
• Deployments using authentication override cookies
• Specific certificate configurations tied to authentication override

Internet-facing VPN appliances face the highest exposure because attackers can target them remotely without requiring prior internal access.

Potential Impact

Successful Exploitation Could Lead to Internal Network Compromise

If attackers exploit the vulnerability successfully, they may:

• Establish unauthorized VPN connections
• Bypass authentication controls
• Gain access to internal enterprise networks
• Move laterally across environments
• Access sensitive systems and data
• Launch additional attacks from trusted VPN sessions

Moreover, compromised VPN infrastructure significantly increases organizational risk because attackers can blend malicious traffic with legitimate remote access activity.

Recommended Actions

Immediate Mitigation and Remediation Steps

01 — Apply Security Updates Immediately

Organizations should upgrade affected PAN-OS devices using vendor-provided security patches as quickly as possible.

02 — Disable Authentication Override Feature

Where operationally feasible, disable authentication override functionality to reduce exposure immediately.

03 — Generate New Certificates

If organizations require authentication override, administrators should generate and deploy new certificates dedicated exclusively to that feature.

04 — Review VPN Activity

Security teams should investigate:

• Unexpected VPN connections
• Unusual authentication patterns
• Unknown IP assignments
• Suspicious login activity
• Geographic anomalies

05 — Restrict Administrative Exposure

Additionally, organizations should:

• Limit management interface exposure
• Enforce MFA across all remote access systems
• Restrict VPN access to trusted users and devices
• Monitor remote access infrastructure continuously

Strategic Security Perspective

VPN Infrastructure Continues to Attract Threat Actors

Remote access infrastructure remains one of the most attractive targets for attackers because VPN systems often provide direct access into enterprise environments.

Furthermore, authentication bypass vulnerabilities create especially dangerous conditions because attackers can circumvent traditional login protections entirely.

Threat actors increasingly target edge devices such as:

• VPN gateways
• Firewalls
• Remote access appliances
• Cloud access systems
• Identity infrastructure

Consequently, organizations should prioritize rapid patch management for all internet-facing security infrastructure.

In addition, enterprises should adopt layered security controls that include:

• Multi-factor authentication
• Network segmentation
• Continuous monitoring
• Zero Trust access policies
• Strict certificate management
• Threat detection for VPN anomalies

Ultimately, protecting VPN infrastructure remains critical for preventing unauthorized access, credential abuse, and enterprise-wide compromise.