Palo Alto GlobalProtect VPN Auth Bypass Flaw Now Exploited in Attacks

The GlobalProtect VPN solution from Palo Alto Networks is a staple for enterprises seeking secure remote‑access connectivity. Its authentication‑override feature, designed to simplify admin logins, relies on cookies that are decrypted with a private key stored on the appliance. A design oversight means the decrypted content is trusted without signature verification, and when the same X.509 certificate is shared between HTTPS services and the override function, an attacker can harvest the public key and forge a valid cookie. This subtle misconfiguration transforms a routine convenience into a gateway for unauthorized network entry.

Rapid7’s threat‑intel team first spotted active exploitation on May 17, 2026, noting that adversaries were targeting unpatched PAN‑OS devices hosted on cloud providers such as Vultr and Dromatics Systems. By generating forged authentication‑override cookies, the attackers could establish VPN tunnels that bypassed credential checks, granting limited internal network visibility. While many attempts stalled before a full session could be established, the mere ability to breach the perimeter raises alarm for organizations that rely on GlobalProtect for segmentation. Palo Alto’s advisory now rates the flaw as High severity and urges immediate patching, disabling the override feature, or separating certificates.

The episode underscores a broader lesson: reusing certificates across disparate services amplifies risk, especially when those services perform asymmetric validation. Security teams should audit VPN appliances for overlapping certificate usage and enforce strict key‑management policies. Moreover, the inclusion of CVE‑2026‑0257 in the CISA Known Exploited Vulnerabilities catalog accelerates compliance pressure on federal agencies, with a June 1, 2026 deadline for remediation. Enterprises that adopt a proactive patch cadence, coupled with continuous monitoring for anomalous VPN logins, will mitigate not only this specific vector but also future credential‑bypass exploits.