Palo Alto GlobalProtect: Actively Exploited VPN Bypass Threatens Corporate Networks

Cybercriminals are actively exploiting a vulnerability in Palo Alto Networks GlobalProtect to gain unauthorized access to internal corporate networks by forging authentication cookies.

The networking security vendor Palo Alto has issued an urgent advisory for administrators of its PAN-OS software after confirming that a flaw in the authentication mechanism of its GlobalProtect VPN component is being actively exploited in the wild. Tracked as CVE-2026-0257, the vulnerability affects both GlobalProtect portals and gateways and enables attackers to bypass authentication controls under certain configurations.

Initially disclosed in mid-May 2026 and rated as medium severity due to its configuration-dependent exploitability, the issue was escalated to high severity on Friday, May 29, 2026. The reclassification followed confirmed evidence of targeted exploitation against unpatched systems and environments without mitigation measures.

Active Exploitation Confirmed and Added to CISA Catalog

Early signs of real-world exploitation were first detected by security provider Rapid7 through its managed detection and response telemetry. According to the company, successful exploitation attempts began as early as May 17, 2026, across multiple customer environments.

Analysts identified two distinct waves of activity. The first began on May 18, 2026, originating from infrastructure hosted by cloud provider Vultr. A second wave followed on May 21, 2026, with traffic traced to systems associated with Dromatics Systems.

In response to the escalating threat, the U.S. Cybersecurity and Infrastructure Security Agency (Cybersecurity and Infrastructure Security Agency) added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog on May 29, 2026. Federal civilian agencies in the United States were given a strict deadline to apply mitigations by June 1, 2026.

Cookie Forgery Mechanism Behind the Attack

The vulnerability stems from how PAN-OS handles the “Authentication Override” feature in GlobalProtect. This function allows VPN gateways to issue temporary authentication cookies after a successful initial login, enabling users to reconnect without re-entering full credentials or multi-factor authentication.

The core issue lies in server-side validation. When a gateway receives a cookie, it decrypts it using a configured private cryptographic key. However, the system does not perform proper signature validation or integrity checks on the decrypted data.

The risk increases significantly when administrators reuse the same certificate for both cookie encryption and the GlobalProtect HTTPS portal. Since the corresponding public key can be extracted via standard HTTPS communication, attackers can use it to generate mathematically valid forged authentication cookies, potentially impersonating any user, including local administrator accounts.

Proof-of-Concept Exploit Demonstrates Real-World Risk

To validate defensive measures, researchers at Rapid7 Labs released a working proof-of-concept exploit. The script automatically retrieves the public certificate chain from a reachable GlobalProtect portal and attempts to generate forged cookies based on the extracted key material. In testing against unpatched systems, the method proved consistently effective.

In real-world incidents analyzed by Rapid7, affected appliances accepted forged cookies and assigned attackers internal IP addresses, effectively granting direct access to internal corporate networks. While no confirmed lateral movement into downstream systems was observed as of May 29, 2026, the potential impact remains critical, as attackers could theoretically obtain full privileges of the impersonated accounts.

Patches and Mitigation Options Available

Palo Alto Networks has released comprehensive updates for the affected versions of its PAN-OS software. The fixes are included in versions 12.1.7, 11.2.12, 11.1.15, and 10.2.18-h6, as well as all later releases. The vendor notes that after applying the update, all existing authentication cookies are regenerated for security reasons, requiring end users to re-authenticate once.

For environments where immediate deployment of the update is not possible, two administrative mitigation options are available. The most effective temporary workaround is to fully disable the generation and acceptance of authentication override cookies in the GlobalProtect portal and gateway settings.

Alternatively, administrators can generate a dedicated, standalone certificate used exclusively for cookie encryption. This certificate must not be shared with other HTTPS services and can be deployed as a self-signed certificate directly on the firewall to prevent exposure of the public key via web access.

Security Governance and Risk Management Implications

The exploitation of a VPN perimeter vulnerability has significant implications for IT governance, security operations, and enterprise risk management.

VPN gateways now represent a primary attack surface, as they act as the direct bridge between public internet traffic and internal enterprise infrastructure. Security governance frameworks must therefore treat certificate management and authentication token handling as strategic controls rather than operational details.

Organizations are advised to enforce strict compliance policies prohibiting certificate reuse across services. Security teams should also implement continuous monitoring of VPN session logs to detect anomalous cookie-based authentications without preceding credential verification.

From a strategic risk perspective, enterprises are urged to reassess perimeter security assumptions in 2026 and move toward Zero Trust architectures. This ensures that a compromised VPN gateway does not automatically translate into unrestricted access to internal systems.