Contact us
Contact us

News

About

Home Crypto News Active Exploitation of GlobalProtect Auth Bypass CVE-2026-0257

Active Exploitation of GlobalProtect Auth Bypass CVE-2026-0257

Author Whitewallet Research
Posted: 30 May 2026, 07:32 CET 2 min read

Palo Alto Networks warns CVE-2026-0257 is being exploited: an authentication bypass in PAN‑OS GlobalProtect that can let attackers create unauthorized VPN sessions.

Palo Alto Networks has warned that CVE-2026-0257, a medium-severity authentication bypass in PAN‑OS GlobalProtect, is being actively exploited. The company assigned the flaw a CVSS score of 7.8 and said it affects firewalls with a GlobalProtect portal or gateway when authentication override cookies are enabled and a specific certificate configuration is present. In a May 13 advisory Palo Alto Networks wrote the flaw could ‘allow the attacker to bypass security restrictions and establish an unauthorized VPN connection.’ In an update on May 29 the vendor said it had become aware of limited exploit attempts on unpatched PAN‑OS devices without mitigations applied.

Security firm Rapid7 reported successful exploitation across multiple customers, with activity beginning on May 17 and a second wave on May 21. Rapid7 assessed both sets of activity to be the work of the same threat actor. Investigators observed VPN IP assignment after cookie authentication in two cases during the second wave, which granted the attacker access to internal networks; Rapid7 noted there was no observed follow-on activity in those customer environments. Rapid7 warned that ‘an authentication bypass in an edge facing enterprise VPN appliance can have significant impact to affected organizations’ and urged affected organizations to install vendor-supplied patches urgently.

Palo Alto Networks and responders have issued remediation guidance. The vendor listed a supplied patch as the primary fix. As temporary mitigations, administrators can disable the authentication override feature or generate a new certificate dedicated to the authentication override function to reduce exposure while patches are deployed. Organizations should check for authentication override cookie usage and the certificate configuration described by the vendor and apply available patches.

The exploitation of CVE-2026-0257 comes amid other attacks targeting remote access and endpoint management infrastructure. Security firm Arctic Wolf reported ongoing weaponization of a critical, now-patched FortiClient Endpoint Management Server vulnerability, CVE-2026-35616, which has been used to deliver credential‑stealing malware called EKZ Infostealer.

Palo Alto Networks and Rapid7 have published technical indicators and mitigation guidance for administrators to review.

Whitewallet Research
Author

Articles by this author

Custodial vs non-custodial wallet
Custodial vs non-custodial wallet
6 hours ago
What is a crypto seed phrase
What is a crypto seed phrase
5 days ago
Seed phrase vs private key
Seed phrase vs private key
may 21
Global South trails in generative AI, Microsoft finds
Global South trails in generative AI, Microsoft finds
may 21
Anthropic lets Glasswing partners publish Mythos-found flaws
Anthropic lets Glasswing partners publish Mythos-found flaws
may 19

Latest News

MORE
Enterprise racks up 0M Claude bill after no usage caps

Enterprise racks up $500M Claude bill after no usage caps

1 day ago 2 min read
BlackRock-Led Bitcoin ETFs Post Ninth Straight Day of Outflows

BlackRock-Led Bitcoin ETFs Post Ninth Straight Day of Outflows

1 day ago 1 min read
Trump Push Spurs SEC, Senate and Ripple on CLARITY Act

Trump Push Spurs SEC, Senate and Ripple on CLARITY Act

1 day ago 2 min read
Anthropic launches Claude Opus 4.8 with Effort Control

Anthropic launches Claude Opus 4.8 with Effort Control

2 days ago 2 min read
MORE