Palo Alto Warns of Exploitation of VPN Bypass Exploits (CVE-2026-0257) in PAN-OS Flaw

The discovery of CVE‑2026‑0257 highlights a growing trend where attackers target authentication mechanisms rather than brute‑forcing credentials. VPN solutions like Palo Alto’s GlobalProtect are prized for remote‑access security, yet they become a single point of failure when cryptographic components are misused. By reusing the same certificate for both HTTPS and cookie encryption, organizations unintentionally expose a deterministic path for adversaries to craft valid authentication tokens, effectively sidestepping traditional login controls.

Rapid7’s forensic analysis revealed two coordinated exploitation campaigns in May 2026. Both waves leveraged forged cookies to impersonate the local admin account, with initial traffic traced to cloud providers Vultr and Dromatics. A consistent spoofed MAC address suggested a single threat actor orchestrating the attacks. While only a minority of compromised devices established full VPN sessions, the ability to gain any internal network foothold is a serious concern, prompting immediate detection and response efforts across affected enterprises.

Mitigation now centers on patching PAN‑OS to the fixed release or, as a temporary measure, disabling the authentication‑override feature and separating certificates for HTTPS and cookie encryption. Organizations should also hunt for the published indicators of compromise, review GlobalProtect logs for anomalous logins, and enforce strict certificate management policies. The inclusion of CVE‑2026‑0257 in the U.S. CISA KEV catalog signals heightened regulatory attention, urging firms to prioritize remediation to prevent similar authentication‑bypass exploits from undermining their network perimeter.