Palo Alto Networks confirmed on May 13, 2026 that CVE-2026-0257, a high-severity authentication bypass in its GlobalProtect VPN portal and gateway, was being actively exploited in the wild. Sixteen days later, CISA added it to the Known Exploited Vulnerabilities catalog with a federal patch deadline of June 1, 2026. Security researchers at Rapid7 and Arctic Wolf have since documented at least two distinct waves of exploitation against enterprise networks, raising the alarm for the more than 70,000 organizations worldwide that depend on Palo Alto Networks firewalls for perimeter security.
The vulnerability, rated CVSS 7.8 High after an initial assessment of 4.7 Medium was revised upward, allows an unauthenticated remote attacker to forge authentication cookies and establish an unauthorized VPN connection without valid credentials. In environments where GlobalProtect gateways touch sensitive internal segments, that single capability translates directly into network-level access with no prior foothold required.
What CVE-2026-0257 Is and Why It Matters
CVE-2026-0257 is a pre-authentication vulnerability in the GlobalProtect portal and gateway components of Palo Alto Networks PAN-OS. The flaw exploits a design assumption in how PAN-OS handles authentication override cookies, a convenience feature that lets returning VPN clients skip repeated credential prompts by presenting a signed cookie instead of re-authenticating from scratch.
When a firewall administrator configures authentication override and uses the same certificate to sign GlobalProtect cookies and to serve HTTPS traffic on the same interface, an attacker who can observe or obtain the public-key material can construct a valid-looking override cookie without knowing any user credentials. PAN-OS then accepts the forged cookie as legitimate and grants VPN access.
Palo Alto Networks itself summarizes the impact plainly: “Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS software allow the attacker to bypass security restrictions and establish an unauthorized VPN connection.” In practice, that means an adversary with internet access to an exposed GlobalProtect portal can enter the internal network as if they were an authenticated employee.
What makes this particularly dangerous is the combination of three factors. First, the attack requires no privileges and no user interaction, placing it in the highest-risk bracket for remote exploitation. Second, GlobalProtect portals and gateways are by definition internet-facing, making the attack surface large. Third, authentication override cookies are a widely used feature, meaning a significant fraction of GlobalProtect deployments carry the vulnerable configuration by default.
The Technical Root Cause: Cookie Forgery via Certificate Reuse
The root cause of CVE-2026-0257 sits at the intersection of two architectural decisions. PAN-OS signs authentication override cookies using a certificate that the administrator specifies. If that same certificate is also used for the GlobalProtect portal’s or gateway’s HTTPS interface, the certificate’s public key is visible to anyone who connects to the HTTPS service.
An attacker who retrieves the public key can, under certain conditions, reconstruct or forge cookie signatures. Once the forged cookie passes the server-side validation in the cpsrvd authentication daemon, PAN-OS treats the connection as legitimately authenticated and allows the VPN session to proceed.
Rapid7 describes the precise technical condition: “If the certificate used for cookie encryption/decryption is reused elsewhere, an attacker can discover the public key and forge arbitrary cookies, then establish a VPN connection.” The firm added that “an authentication bypass in an edge-facing enterprise VPN appliance can have significant impact to affected organizations” and urged immediate patching on an urgent basis.
Unit 42, Palo Alto’s own threat intelligence arm, noted that a public proof-of-concept became available during the active exploitation window, providing attackers with a ready-made tool. The firm published a set of suspicious IP addresses seen in pre-PoC reconnaissance activity, including 23.128.228.6, 104.207.144.154, and a cluster of addresses in the 146.19.216.x and 185.195.232.x ranges, giving defenders concrete indicators to hunt for in firewall logs.
The attack is also notable for what it does not require. Unlike memory-corruption exploits that depend on a precise heap layout or specific kernel version, cookie forgery attacks are inherently reliable across the full range of affected PAN-OS branches, because the vulnerability is logical rather than memory-based. That reliability contributes to the rapid transition from proof-of-concept to weaponized exploitation seen in this case.
Attack Timeline: 12 Days from Advisory to Federal Deadline
The public lifecycle of CVE-2026-0257 moved unusually fast, driven by active exploitation that preceded the original advisory by an unknown margin.
| Date | Event | Source |
|---|---|---|
| May 13, 2026 | Palo Alto Networks publishes advisory and fixed PAN-OS builds | Palo Alto Networks |
| May 17, 2026 | Rapid7 records earliest confirmed exploitation attempt in the wild | Rapid7 |
| May 29, 2026 | CISA adds CVE-2026-0257 to Known Exploited Vulnerabilities catalog | CISA KEV |
| June 1, 2026 | CISA deadline: all federal civilian agencies must patch or mitigate | CISA directive |
| Early June 2026 | Arctic Wolf documents second exploitation wave with increased volume | Arctic Wolf |
| June 21, 2026 | Exploitation ongoing; unpatched deployments remain at active risk | Multiple vendors |
The 12-day gap between the Palo Alto advisory (May 13) and the CISA KEV addition (May 29) reflects how long it can take institutional response machinery to formally classify and mandate remediation. For defenders, those 12 days represented a period of confirmed exploitation with no federal-level urgency signal.
Arctic Wolf’s observation of a second, higher-volume exploitation wave in early June 2026 suggests that once a proof-of-concept circulates, attack tooling proliferates rapidly. Arctic Wolf confirmed it “observed an increase in active exploitation of CVE-2026-0257” in that period and reiterated that organizations should treat patching as an emergency rather than a routine maintenance task.
Two Waves of Exploitation and Threat Actor Patterns
Rapid7’s threat intelligence team observed two distinct waves of exploitation and found a notable consistency between them. The firm reported that a spoofed MAC address appeared in attack traffic across both waves, suggesting the same threat actor, or at minimum the same tooling, was responsible for both campaigns. Rapid7 was careful to note that the actor has not been publicly identified by name, and attribution remains open as of June 2026.
The attack flow documented by Unit 42 and Rapid7 involves several distinctive artifacts that defenders can hunt for. Attackers use forged authentication override cookies with hard-coded client configuration values drawn from the public proof-of-concept, including a host operating system string of Microsoft Windows 10 Pro 64-bit and an empty source user domain field. These artifacts are anomalous in production environments where legitimate clients provide real device context.
Unit 42 also published suspicious host identifiers seen in attack sessions, including generic device names such as aa:bb:cc:dd:ee:ff, WINDOWS-LAPTOP-001, DESKTOP-GP01, and GP-CLIENT. These placeholders, drawn directly from PoC code, appear in authentication logs and provide a reliable detection signal when correlated against the list of known attacker IP addresses.
Rapid7 noted that in one sample of managed detection and response customers, the appliance accepted forged cookies in 8 out of 10 impacted deployments, implying that the vulnerable certificate-reuse configuration is extremely common in real-world PAN-OS environments. Unit 42 added that no post-access lateral movement had been confirmed as of its initial briefing, but acknowledged that dwell time for detection in similar VPN bypass campaigns is typically measured in days to weeks.
Affected PAN-OS Versions Across Four Release Branches
The vulnerability spans four active PAN-OS release branches and dozens of specific build numbers. Panorama and Cloud NGFW are confirmed unaffected. The affected scope is limited to on-premises and cloud-deployed firewalls with GlobalProtect portal or gateway enabled, combined with the vulnerable authentication-override certificate configuration.
| PAN-OS Branch | Vulnerable Builds (representative range) | First Fixed Build |
|---|---|---|
| PAN-OS 12.1 | 12.1.2 through 12.1.6 | 12.1.7 or later |
| PAN-OS 11.2 | 11.2.0 through 11.2.10-h* (multiple sub-branches) | 11.2.11 or later |
| PAN-OS 11.1 | 11.1.0 through 11.1.13-h* (multiple sub-branches) | 11.1.14 or later; hotfixes 11.1.13-h5, 11.1.10-h25 |
| PAN-OS 10.2 | 10.2.0 through 10.2.18-h* (multiple sub-branches) | Per-branch; consult Palo Alto advisory |
Administrators running PAN-OS 11.1 who cannot immediately upgrade to the full fixed release can apply hotfix builds 11.1.13-h5 and 11.1.10-h25 as a temporary measure while scheduling the full upgrade. Palo Alto’s advisory also notes that upgrading to any fixed build causes GlobalProtect users to re-authenticate once after the update, which should be communicated to end users in advance to avoid help-desk congestion.
Organizations still running PAN-OS 10.2 face a particularly complex patching landscape because the 10.2 branch has numerous sub-releases, each with different hotfix availability. Security teams should cross-reference the exact build number against Palo Alto’s official advisory at security.paloaltonetworks.com/CVE-2026-0257 rather than assuming any single rule covers all 10.2 deployments.
CVE-2026-0257 vs. Palo Alto’s History of Critical PAN-OS Flaws
CVE-2026-0257 is the third significant GlobalProtect or PAN-OS authentication-adjacent vulnerability in three years, continuing a pattern that has made Palo Alto’s edge products a persistent target for state-sponsored actors and opportunistic ransomware groups alike.
CVE-2024-3400 set the benchmark for severity in this product line. Discovered and disclosed in April 2024, it carried a CVSS score of 10.0, the maximum possible, and allowed an unauthenticated attacker to execute arbitrary code as root through a command injection flaw in the GlobalProtect gateway. Palo Alto released hotfixes within two days of the advisory, and CISA added it to KEV on April 12, 2024. The incident demonstrated that Palo Alto’s edge services could be weaponized for root-level code execution, not just network access.
CVE-2025-0108, disclosed in February 2025, was an authentication bypass in the PAN-OS management web interface rather than GlobalProtect specifically. Like CVE-2026-0257, it allowed unauthenticated access to administrative functions. The 2025 flaw drew significant attention because management interfaces, though typically not internet-exposed by policy, frequently are in practice due to misconfigurations.
CVE-2026-0257 sits between these two in severity terms, with a revised CVSS of 7.8 compared to the 10.0 ceiling of CVE-2024-3400. However, because GlobalProtect portals are intentionally internet-facing rather than accidentally so, the exploitable attack surface for CVE-2026-0257 is structurally larger than it was for the 2025 management-interface flaw. Researchers at Horizon3 documented that the vulnerable certificate-reuse condition exists across a meaningful fraction of real-world deployments, not just edge-case configurations.
The pattern across these three years points to a systematic challenge: PAN-OS is a high-value target precisely because it is trusted to enforce network segmentation, and any flaw that undermines that trust delivers adversaries access to environments where they expect to be blocked. See the broader comparison with Check Point’s recent vulnerability in Check Point VPN Zero-Day: CVSS 9.3, Qilin Ransomware [2026].
CISA’s KEV Designation and the Federal Agency Deadline
CISA’s addition of CVE-2026-0257 to the Known Exploited Vulnerabilities catalog on May 29, 2026 triggered a Binding Operational Directive deadline requiring all federal civilian executive branch agencies to patch or apply mitigations by June 1, 2026, giving agencies just three days from the KEV listing to demonstrate compliance.
The tightness of that window reflects the severity classification CISA assigned. KEV listings with three-day compliance windows are reserved for vulnerabilities where active exploitation against sensitive infrastructure is considered probable, not merely theoretical. For context, most KEV deadlines run 21 to 30 days. A three-day window is the agency’s fastest available response mechanism short of an emergency directive.
For private-sector organizations, the KEV listing carries no mandatory compliance obligation, but it functions as a strong market signal. Insurance underwriters, supply-chain security questionnaires, and third-party risk auditors increasingly treat KEV presence as a formal risk criterion. Organizations that cannot demonstrate patching or compensating controls within 30 days of a KEV listing face elevated exposure in those contexts.
The practical implication for security teams is that CVE-2026-0257 should be treated with the same urgency as a P1 incident ticket. Network defenders who have not yet upgraded affected PAN-OS builds should immediately apply the workaround of disabling authentication override cookies and then schedule the full patch within their next available maintenance window, targeting no longer than 14 days from this writing.
Immediate Mitigation: Three Actions for Network Administrators
Palo Alto Networks, Rapid7, and Arctic Wolf all converge on the same three-step mitigation sequence for organizations that cannot patch immediately.
Option 1: Upgrade to a Fixed PAN-OS Build
The most complete remediation is upgrading to a fixed release. PAN-OS 11.1 administrators should target build 11.1.13-h5 or 11.1.10-h25 at minimum, with a full upgrade to 11.1.14 or later scheduled promptly. PAN-OS 11.2 administrators should target 11.2.11 or later. PAN-OS 12.1 administrators should upgrade to 12.1.7 or later. PAN-OS 10.2 requires consulting the per-branch table in the official Palo Alto advisory due to the fragmented sub-release landscape.
Option 2: Disable Authentication Override Cookies
If patching is not possible within the required window, disabling authentication override cookies in GlobalProtect portal and gateway settings eliminates the attack vector entirely. Users will need to authenticate on every VPN session rather than relying on cached cookies, which increases authentication friction but removes the exploitable mechanism. This is an acceptable interim control for organizations with strong MFA enrollment across the user base.
Option 3: Isolate the Authentication Override Certificate
If authentication override must remain enabled, generate a new certificate used exclusively for the override-cookie signing function and configure the GlobalProtect portal and gateway to use it. This certificate must not be used for portal HTTPS, gateway HTTPS, or any other PAN-OS feature. Certificate isolation eliminates the attack path because attackers can no longer derive the signing material from the public HTTPS service. Rapid7 recommends this as the preferred long-term architectural approach even after patching, treating it as a defense-in-depth measure against future authentication-adjacent vulnerabilities in the same component.
Detection and Threat Hunting for Exposed Deployments
Organizations that were exposed during the May 17 to June 1 window should assume potential compromise and initiate a threat hunt before declaring the environment clean after patching.
Unit 42’s published indicators give defenders a concrete starting point. Firewall authentication logs should be searched for sessions originating from the known malicious IP list, including 23.128.228.6, 104.207.144.154, 146.19.216.119, 146.19.216.120, 146.19.216.125, 179.43.172.213, 185.195.232.139, 198.12.106.60, and 202.144.192.47. Any successful VPN session from these sources should be treated as a confirmed intrusion requiring immediate incident response.
Authentication logs should also be filtered for PoC-derived host identifiers. Sessions reporting device names of WINDOWS-LAPTOP-001, DESKTOP-GP01, or GP-CLIENT, combined with a MAC address of aa:bb:cc:dd:ee:ff or 00:11:22:33:44:55, are strong indicators of exploitation. Legitimate corporate devices do not carry placeholder values from open-source exploit tooling.
At the PAN-OS log level, administrators should review Traffic and System logs for gateway-connected sessions that lack corresponding pre-authentication entries. A VPN session that appears in Traffic without a matching authentication handshake in the System log indicates a bypass rather than a legitimate credential flow. Security teams should also check for any new VPN user accounts or administrative accounts created in the aftermath of suspicious sessions, as threat actors in similar campaigns implant backdoor credentials before defenders detect the initial intrusion.
How CVE-2026-0257 Compares to Similar Enterprise VPN Exploits
Palo Alto’s GlobalProtect is one of several enterprise VPN platforms that have suffered authentication bypass flaws in the last two years. Comparing CVE-2026-0257 to peer incidents illustrates both what makes this one distinctive and where it follows familiar patterns.
| CVE | Product | CVSS | Attack Type | Days to CISA KEV | Known Exploitation Actor |
|---|---|---|---|---|---|
| CVE-2026-0257 | Palo Alto GlobalProtect | 7.8 | Cookie forgery via cert reuse | 16 | Unidentified (2 waves documented) |
| CVE-2024-3400 | Palo Alto GlobalProtect | 10.0 | Command injection, root RCE | 0 (same-day KEV) | In-wild; no group named |
| CVE-2026-50751 | Check Point VPN | 9.3 | Path traversal credential leak | 14 | Qilin ransomware |
| CVE-2025-0108 | Palo Alto PAN-OS Mgmt UI | High | Auth bypass in web interface | Not confirmed | In-wild confirmed |
The comparison shows CVE-2026-0257 sitting in the middle of the severity range for this class of vulnerability. It is not as catastrophic as the CVSS 10.0 RCE of CVE-2024-3400, which gave attackers root-level code execution on the firewall itself. It is, however, more operationally impactful than management-interface bypasses because GlobalProtect portals are intentionally internet-exposed, making opportunistic exploitation far more accessible. The 16-day gap to CISA KEV also tracks with the broader trend of faster-than-average regulatory response to VPN platform vulnerabilities.
What distinguishes CVE-2026-0257 from the Check Point incident covered in our Check Point VPN zero-day analysis is the absence, so far, of a named ransomware group claiming responsibility. The Check Point flaw was immediately linked to the Qilin ransomware operation. CVE-2026-0257, as of June 21, 2026, appears to involve an unnamed actor conducting what looks like access-harvesting. That pattern is more consistent with initial-access broker activity or nation-state reconnaissance than with opportunistic ransomware campaigns.
The Broader Context: VPN Security as a Sustained Crisis
CVE-2026-0257 does not exist in isolation. It is the latest data point in a two-year pattern of VPN platform vulnerabilities that security analysts are beginning to describe as a structural crisis in enterprise network architecture.
The premise of perimeter security, that a trusted edge device can reliably separate internal networks from external threats, depends on that device itself being immune to remote compromise. When GlobalProtect, Check Point, Fortinet, and Ivanti VPN products all suffer authentication bypass or remote code execution vulnerabilities within the same 24-month window, the premise becomes difficult to defend at an architectural level.
This connects to the broader context documented in the Cloudflare 2026 Threat Report, which recorded 47 million attacks and a record 31.4 Tbps DDoS event, as well as the 49% surge in ransomware groups that hit 8,159 victims in 2025. Edge network infrastructure is under sustained, organized assault by threat actors who have learned that VPN authentication is a reliable kill chain entry point requiring less sophisticated tooling than endpoint compromise.
The security industry’s response has been to accelerate the adoption of Zero Trust Network Access architectures that eliminate the static perimeter entirely. Rather than trusting any device that presents a valid VPN credential, ZTNA systems apply continuous authentication and authorization at the application layer, so a forged VPN cookie does not translate into broad network access. CVE-2026-0257 makes a stronger-than-usual case for organizations still running legacy VPN architectures to accelerate their ZTNA migration planning. For more context on how AI-enabled threat actors are shrinking the window between disclosure and exploitation, see our coverage of AI-driven cyberattacks that generated 40,000 automated vulnerabilities in 2026.
The nation-state dimension also cannot be ignored. The Salt Typhoon campaign that exposed FBI wiretap data across 80 nations relied on similar edge-device footholds to reach classified infrastructure. A vulnerability that delivers VPN-layer access without credentials is precisely the type of initial entry that state-sponsored actors prize for long-term, low-noise persistence.
Five Predictions for the CVE-2026-0257 Threat Trajectory
Based on the exploitation patterns of comparable VPN vulnerabilities, five developments are likely over the next 90 days.
- A named ransomware group will claim CVE-2026-0257 exploitation within 45 days. Access-broker activity at this scale typically converts to ransomware deployments within 6 weeks, based on timelines observed in the CVE-2024-3400 and Check Point VPN campaigns.
- Nation-state attribution will emerge for at least one confirmed intrusion. The dual-wave structure documented by Rapid7, with a consistent spoofed MAC address across both campaigns, suggests coordinated activity rather than random opportunistic scanning. State-sponsored initial-access campaigns targeting government VPN infrastructure are a documented pattern from groups like Volt Typhoon.
- Patch adoption will lag 60 days behind the advisory for the median enterprise. Enterprise patch cycles for firewall firmware typically run 30 to 90 days due to change-management requirements, even for critical vulnerabilities. The most exposed organizations are those with 200 to 500 employees that lack dedicated security operations teams.
- CISA will issue a follow-up advisory with updated indicators by mid-July 2026. The pace of Arctic Wolf’s second-wave documentation suggests threat activity is still evolving, and the KEV entry will likely be supplemented with updated TTP guidance as more forensic data becomes available from incident response engagements.
- Palo Alto will release a post-incident technical analysis revising vulnerability scope. In both CVE-2024-3400 and CVE-2025-0108, Palo Alto published follow-up security bulletins within 60 days of initial disclosure that expanded the affected product list or revised the CVSS score. A similar revision is probable for CVE-2026-0257 given the rapid escalation from 4.7 to 7.8 already documented.
Related Coverage
For additional context on this vulnerability and related cybersecurity incidents:
- Check Point VPN Zero-Day: CVSS 9.3, Qilin Ransomware [2026]
- Oracle WebLogic Zero-Day: CVSS 10.0, 140K Attacks in 12 Days [2026]
- FBI DCSNet Hack: Salt Typhoon Exposes Wiretap Data on 80 Nations
- Cloudflare 2026 Threat Report: 47M Attacks, 31.4 Tbps Record [2026]
- Ransomware Groups Up 49%: 8,159 Victims Hit in 2025 [2026]
Frequently Asked Questions
What is CVE-2026-0257?
CVE-2026-0257 is a high-severity authentication bypass vulnerability in Palo Alto Networks PAN-OS affecting the GlobalProtect VPN portal and gateway components. Rated CVSS 7.8 High (revised from an initial 4.7 Medium), it allows an unauthenticated remote attacker to forge authentication override cookies and establish an unauthorized VPN connection without valid credentials.
Which PAN-OS versions are affected by CVE-2026-0257?
The vulnerability affects PAN-OS 10.2, 11.1, 11.2, and 12.1 across multiple sub-releases. Panorama and Cloud NGFW, including Prisma Access, are confirmed unaffected. Administrators should check the official Palo Alto advisory at security.paloaltonetworks.com/CVE-2026-0257 for the exact build list for their specific branch.
Is CVE-2026-0257 being actively exploited right now?
Yes. Rapid7 confirmed active exploitation beginning May 17, 2026, four days after the advisory. Arctic Wolf documented a second, higher-volume exploitation wave in early June 2026. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on May 29, 2026 and ordered federal civilian agencies to patch by June 1, 2026. Exploitation is ongoing as of June 21, 2026.
What is the fastest way to stop the attack without patching?
Disable authentication override cookies in GlobalProtect portal and gateway settings. This removes the mechanism that attackers exploit. Users will need to re-authenticate on every VPN session, but the attack vector is completely eliminated. As an alternative, generate a new certificate used exclusively for authentication override and configure GlobalProtect to use that certificate only, isolating it from the portal HTTPS interface.
How do I know if my organization has already been compromised?
Review GlobalProtect authentication and traffic logs for sessions from the published malicious IP addresses (23.128.228.6, 104.207.144.154, and the 146.19.216.x cluster published by Unit 42). Look for VPN sessions with placeholder device names such as WINDOWS-LAPTOP-001, DESKTOP-GP01, or MAC addresses of aa:bb:cc:dd:ee:ff. Any VPN session in Traffic logs without a corresponding authentication entry in System logs is also suspicious. Organizations with any of these indicators should initiate a formal incident response process immediately.
Does this affect Panorama or Prisma Access?
No. Palo Alto Networks confirmed that Panorama and Cloud NGFW, including Prisma Access, are not impacted by CVE-2026-0257. The vulnerability is specific to on-premises and cloud-deployed PAN-OS firewalls running the affected builds with GlobalProtect portal or gateway configured.
How does CVE-2026-0257 compare to CVE-2024-3400 in severity?
CVE-2024-3400, disclosed in April 2024, carried a CVSS of 10.0 and allowed root-level code execution on the firewall itself via command injection. CVE-2026-0257 is rated CVSS 7.8 and grants network access rather than code execution on the device. CVE-2024-3400 was more severe in terms of what an attacker could do on the firewall, but CVE-2026-0257 targets the GlobalProtect portal, which is intentionally internet-facing, making the effective attack surface structurally larger for opportunistic campaigns.
