Researchers with Palo Alto Networks are warning of active attacks targeting the company’s PAN-OS software.
The networking giant’s Unit 42 security team says threat actors in the wild have been exploiting an authentication bypass flaw in the GlobalProtect portal and gateway components on vulnerable PAN-OS firewalls. The company is advising affected organizations to update to a fixed PAN-OS version or apply the recommended mitigations.
Tracked as CVE-2026-0257, the flaw lets an unauthenticated attacker bypass security controls and establish an unauthorized VPN connection through GlobalProtect. In short, it lets an attacker circumvent the login process.
Just how bad it is depends on who you ask. NIST’s National Vulnerability Database rates the bug 9.1 — critical. Palo Alto, which assigned the CVE, scores it 7.8, or high, and NVD notes the two don’t match. Rapid7, which tracked the attacks, points out the flaw was originally tagged a middling 4.7 and argues organizations should treat it as critical anyway, given where it sits.
Out of the PAN-OS and into the fire
According to Unit 42, the impact of the attacks has so far been limited.
“No post-access behavior or lateral movement has been identified as of this time,” the researchers said.
Only a small portion of probed devices established a VPN session, Unit 42 said, resulting in gateway-connected events. Rapid7 said among the customers it tracked, the appliance accepted a forged cookie without a full VPN session in eight of ten cases, and the firm saw no successful lateral movement off the devices. That said, in a second wave of attacks Rapid7 did observe intruders pulling a VPN IP address and reaching the internal network — so “limited” is not the same as “harmless.”
Authentication bypass flaws don’t always rank as worst-case bugs in ordinary software. But on the edge of the network they mean something else entirely: on a firewall or VPN gateway, a login bypass is a serious risk because it puts an attacker inside the remote-access path. A successful exploit here ends with a session established without authentication through GlobalProtect.
While Palo Alto and Unit 42 are advising all customers to update their firmware to a fixed version of PAN-OS, there are some factors that determine whether a device is actually exposed.
Recipe for a hack
Palo Alto says that for the flaw to be exploitable, two things have to be true: the appliance has to be configured to generate or accept cookies for authentication override in the GlobalProtect portal or gateway settings, and it has to reuse the same certificate for those cookies that it uses elsewhere, such as for its HTTPS service. With that combination in place, an attacker can lift the public key from the certificate and forge valid override cookies.
Should authentication override not be enabled, the device will not be vulnerable to the attacks observed in the wild thus far. Organizations that can’t patch right away have two other options Palo Alto recommends: generate a dedicated certificate used only for authentication override cookies, or switch authentication override off entirely. Rapid7 has also published a proof-of-concept script defenders can run to check whether an appliance is exposed.
That said, everyone running a PAN-OS appliance would be well advised to check for and install the latest firmware as a best practice. CISA added the bug to its Known Exploited Vulnerabilities catalog on May 29, setting a June 1 deadline for federal agencies to remediate. It never hurts to take precautions.
Shaun Nichols is an IT news journalist. He has spent nearly 20 years covering the industry with a specialty in cybersecurity.
