**Palo Alto Networks** has updated its advisory regarding **CVE-2026-0257**, a flaw affecting the GlobalProtect portal and gateway of PAN-OS. Initially rated as Medium severity, the vulnerability has been escalated to High due to active exploitation. ## The Vulnerability: CVE-2026-0257 The vulnerability, tracked as **CVE-2026-0257**, allows attackers to bypass security restrictions and establish unauthorized VPN connections. According to **Palo Alto's** advisory, the flaw resides in the GlobalProtect portal and gateway of PAN-OS software. The initial assessment considered the flaw's impact as Medium severity due to specific configuration requirements: devices must have authentication override cookies enabled and a particular certificate configuration. ## Active Exploitation and Severity Upgrade On Friday, **Palo Alto Networks** revised its advisory, confirming active exploitation of the vulnerability on unpatched devices. This prompted an increase in the severity rating to High. "Palo Alto Networks has become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied," the updated advisory states. ## Rapid7's Observations This update aligns with earlier warnings from **Rapid7**, who observed exploitation attempts against numerous customers starting on May 17, 2026. "Rapid7 MDR identified successful exploitation across numerous customers, however we did not observe any indication of successful lateral movement from the devices. The earliest date for observed exploitation was May 17, 2026," **Rapid7** reported. Furthermore, **Rapid7** noted that "As of May 29, 2026, this vulnerability has been added to the **CISA** KEV." ## Attack Details According to **Rapid7**, attackers are authenticating to GlobalProtect gateways using forged authentication override cookies targeting the local administrator account. Exploitation was first observed on May 18 from infrastructure hosted by **Vultr**, followed by a second wave on May 21 originating from Dromatics Systems. While attackers sometimes successfully connected to internal networks via VPN using forged cookies, **Rapid7** noted instances where a full VPN session couldn't be established despite the appliance accepting the forged cookie. ## Root Cause Analysis **Rapid7's** investigation revealed that affected devices had GlobalProtect authentication override cookies enabled and were configured to allow forging valid authentication cookies. The vulnerability stems from PAN-OS's validation process for authentication override cookies. The GlobalProtect VPN device decrypts these cookies using a configured private key and trusts the decrypted contents without signature verification. If the same certificate is reused for both HTTPS services and authentication override cookies, attackers can obtain the corresponding public key via the HTTPS session. This allows them to create forged cookies that the device will accept as legitimate. ## Proof-of-Concept Exploit **Rapid7** developed a proof-of-concept exploit to demonstrate how an attacker can retrieve public certificates exposed by a GlobalProtect portal or gateway, generate a forged authentication override cookie for an arbitrary user, and authenticate without valid credentials. This PoC successfully authenticated to an unpatched GlobalProtect gateway. ## Remediation and Mitigation Organizations using GlobalProtect VPN devices are strongly advised to immediately install the latest security updates to patch the flaw. Alternative mitigation strategies include disabling the authentication override feature or using a distinct certificate for this feature, ensuring it's not shared with other services on the device. **CISA** has added the flaw to its Known Exploited Vulnerability catalog, mandating federal agencies to mitigate it by June 1, 2026.  ## The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold. This guide covers the 6 surfaces you actually need to validate. [Download Now](https://hubs.li/Q048zztN0)