A high-severity authentication bypass vulnerability in Palo Alto Networks' GlobalProtect VPN is being actively exploited in the wild, with confirmed intrusion attempts against multiple organizations recorded as early as May 17, 2026. Tracked as CVE-2026-0257, the flaw allows unauthenticated attackers to forge authentication cookies and establish fully functional VPN sessions - effectively walking through a front door that should require a key. The U.S. Cybersecurity and Infrastructure Security Agency has added the vulnerability to its Known Exploited Vulnerabilities catalog, signaling that the threat is neither theoretical nor contained.
What the Vulnerability Does and How Attackers Are Using It
The flaw resides in the GlobalProtect portal and gateway components of PAN-OS, the operating system underpinning Palo Alto's firewall and network security appliances. At its core, the issue involves improper handling of authentication override cookies - a feature designed to streamline the login experience for returning VPN users by allowing the system to remember and automatically validate previously authenticated sessions.
When that feature is enabled and the same certificate is reused across multiple services, attackers can obtain the public key associated with that certificate and use it to craft cookies that the system accepts as legitimate. The critical failure is that decrypted cookie data is not cryptographically verified after decryption, meaning the system trusts the contents without confirming their integrity or origin. An attacker supplying a carefully constructed HTTP POST request to the /ssl-vpn/login.esp endpoint can authenticate as an arbitrary user, then make follow-on requests to endpoints such as /ssl-vpn/getconfig.esp and /ssl-vpn/hipreport.esp to complete and sustain a VPN session.
Researchers from Rapid7 observed exploitation attempts across multiple organizations within a narrow window, suggesting coordinated or tool-assisted scanning rather than isolated incident. Unit 42, Palo Alto's threat intelligence arm, noted that only a subset of targeted devices resulted in confirmed "gateway-connected" events, pointing to opportunistic probing rather than a fully targeted campaign - at least in the early phase.
The vulnerability was initially scored at 4.7 under the Common Vulnerability Scoring System, placing it in the medium-severity band. That rating was subsequently revised to 7.8, reflecting both the confirmed exploitation activity and the inherently sensitive position VPN edge devices occupy in enterprise architecture. VPN gateways sit at the perimeter between the public internet and internal corporate networks; a successful authentication bypass at this layer does not merely compromise a single endpoint - it can hand an attacker a credentialed position inside the network.
Why Edge Device Vulnerabilities Carry Outsized Risk
The significance of this vulnerability extends beyond the technical specifics of cookie handling. VPN concentrators and firewall appliances have become a preferred target class for sophisticated threat actors over the past several years, for reasons that are structural rather than coincidental. These devices are, by design, exposed to the internet. They process authentication at scale. And they are frequently under-monitored compared to endpoints inside the network, partly because security teams have historically assumed the perimeter layer to be hardened.
Authentication bypass flaws are particularly damaging in this context. Most network intrusion detection assumes that an authenticated VPN session represents a known, trusted user. Traffic flowing through an established VPN tunnel receives a degree of implicit trust that traffic arriving from unknown external sources does not. An attacker who successfully establishes such a session may be able to reach internal resources, move between network segments, or conduct reconnaissance with considerably less friction than an attacker probing from outside the perimeter entirely.
The fact that no widespread post-exploitation or lateral movement has been confirmed yet does not reduce urgency. In many documented intrusion campaigns, initial access is established and then left dormant - sometimes for weeks - before active exploitation resumes. The absence of observed follow-on activity in the current wave is not assurance; it may simply reflect the current stage of the campaign.
Detection Indicators and What Security Teams Should Look For
Unit 42 has published indicators of compromise that organizations can use to assess whether their environments have been targeted. Defenders should treat these as a starting point for log analysis, not an exhaustive list.
Suspicious authentication patterns to flag in GlobalProtect logs include:
- Login events featuring empty domain fields
- Hardcoded or generic client operating system values, particularly
Windows 10appearing uniformly across sessions - Generic or anomalous hostnames such as
WINDOWS-LAPTOP-001,DESKTOP-GP01, orGP-CLIENT - MAC addresses that appear fabricated or repeat across sessions, including
aa:bb:cc:dd:ee:ffand00:11:22:33:44:55
Known attacker IP addresses associated with this campaign include the following defanged values, suitable for import into threat intelligence platforms, SIEM environments, or blocklists:
- 23.128.228[.]6
- 104.207.144[.]154
- 146.19.216[.]119
- 146.19.216[.]120
- 146.19.216[.]125
- 179.43.172[.]213
- 185.195.232[.]139
- 198.12.106[.]60
- 202.144.192[.]47
Palo Alto's own tooling can assist in detection and exposure management. Cortex XDR and XSIAM are capable of identifying malicious activity associated with the vulnerability, while Cortex Xpanse can surface publicly exposed GlobalProtect portals and gateways, allowing organizations to assess and reduce their external attack surface before an intrusion occurs. Advanced URL Filtering adds an additional layer of blocking capability against malicious traffic patterns tied to this campaign.
Remediation Steps and Immediate Mitigations
Palo Alto Networks has released fixed PAN-OS versions and strongly recommends that all affected organizations patch without delay. Given that proof-of-concept exploit code is publicly available, the window between patch release and widespread exploitation attempts tends to be short - organizations that delay patching are increasing their exposure with each passing day.
For environments where immediate patching is not operationally feasible, two interim mitigations are available:
- Disable the authentication override cookie feature entirely until the fix can be applied
- If the feature must remain active, ensure that a dedicated certificate - used exclusively for cookie encryption and decryption - is deployed, rather than sharing a certificate across services
The second mitigation directly addresses the root condition that makes exploitation possible. Certificate reuse across services is the mechanism that gives attackers access to a public key they can weaponize; isolating the cookie certificate removes that avenue.
Security teams should also initiate active threat hunting regardless of whether suspicious log entries have been identified. Given the opportunistic nature of the scanning activity observed so far, organizations with exposed GlobalProtect instances should assume they have been probed and work backward from that premise. Any confirmed suspicious VPN connection should trigger a full incident response procedure, including session termination, credential rotation, and an audit of internal access logs for the duration of the potential exposure window.
The broader lesson embedded in CVE-2026-0257 is not unique to this vendor or this product. Authentication mechanisms that rely on unverified trust - whether cookie data accepted without signature validation, tokens that are decrypted but not authenticated, or certificates shared promiscuously across services - create systemic brittleness at exactly the layer where enterprise security depends most on reliability. Fixing the immediate vulnerability is necessary; reviewing the architectural assumptions that made it exploitable is equally important.
