### CVE-2026-0257: Authentication Bypass in PAN-OS The vulnerability, tracked as **CVE-2026-0257** (CVSS score: 7.8), involves an authentication bypass that could be exploited by malicious actors to set up VPN connections. According to **Palo Alto Networks**, the issue affects firewalls with GlobalProtect portal or gateway configured when authentication override cookies are enabled and a specific certificate configuration exists. "Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allow the attacker to bypass security restrictions and establish an unauthorized VPN connection," the company stated in their advisory released on May 13, 2026. ### Exploitation in the Wild In an update on May 29, 2026, **Palo Alto Networks** acknowledged "limited exploit attempts on unpatched PAN-OS devices without mitigations applied." This follows a report from **Rapid7**, which identified successful exploitation across numerous customers, with the earliest attempts dating back to May 17, 2026, and a subsequent wave on May 21. **Rapid7** attributes both exploitation sets to the same threat actor. The second wave of activity included VPN IP assignment following cookie authentication, granting attackers access to the internal network in two instances. No follow-on activity was observed in the customer environments where a VPN session was established. ### Rapid7's Assessment "An authentication bypass in an edge facing enterprise VPN appliance can have significant impact to affected organizations," **Rapid7** warned. "As such, organizations running affected appliances are urged to upgrade to a vendor supplied patch on an urgent basis." ### Mitigation Strategies As temporary mitigations, **Palo Alto Networks** recommends disabling the authentication override feature or generating a new certificate to use exclusively for the authentication override feature. ### FortiClient EMS Exploitation The exploitation of **CVE-2026-0257** follows a report from **Arctic Wolf** about the continued weaponization of a critical security flaw in **FortiClient** Endpoint Management Server (EMS) deployments (**CVE-2026-35616**, CVSS score: 9.1). Threat actors are leveraging this vulnerability to deliver credential-stealing malware known as EKZ Infostealer.