On May 29, 2026, CISA added CVE-2026-0257 — an authentication bypass in Palo Alto Networks' PAN-OS GlobalProtect VPN — to its Known Exploited Vulnerabilities catalog after security firm Rapid7 confirmed attackers were already using it to slip into customer networks without a valid password. If your business connects to the office or to cloud apps through a Palo Alto firewall (directly or through your IT provider's stack), this is the kind of flaw that turns the VPN into an open door — and the federal patch deadline is days away.
What actually happened
On May 29, 2026, CISA added CVE-2026-0257, a Palo Alto Networks PAN-OS GlobalProtect authentication bypass vulnerability under active exploitation, to its Known Exploited Vulnerabilities catalog, requiring U.S. federal civilian agencies to remediate it by the catalog deadline. Palo Alto Networks first disclosed the flaw on May 13, then updated the advisory on May 29 to confirm it was being exploited in the wild.
The technical mechanics matter because they explain why a password isn't enough to stop this one. CVE-2026-0257 enables a remote unauthenticated attacker to forge authentication override cookies and establish unauthorized VPN connections through the GlobalProtect gateway. The vulnerability exists in a non-default feature called "authentication override," which allows GlobalProtect portals and gateways to issue session cookies to authenticated users similar to a bearer token, so users don't need to re-authenticate each session. The flaw is triggered only when the certificate used to encrypt and decrypt these authentication override cookies is shared with another feature, such as the HTTPS service of the portal or gateway. Because the decryption process performs no signature verification after decrypting the cookie, any attacker who can retrieve the public key from the exposed HTTPS certificate can forge a valid authentication cookie and bypass authentication entirely.
In plain English: the attacker doesn't steal a password, doesn't trigger MFA, and doesn't trip a failed-login alert. They just hand the firewall a forged cookie and the firewall lets them onto your internal network.
This isn't theoretical — attackers are already in
On May 13, 2026, Palo Alto Networks published a security advisory for CVE-2026-0257, a medium severity authentication bypass affecting PAN-OS and Prisma Access when a specific configuration is present. Successful exploitation of this vulnerability allows a remote unauthenticated attacker to successfully establish a VPN connection through the GlobalProtect gateway of an affected appliance. Rapid7 MDR identified successful exploitation across numerous customers, however we did not observe any indication of successful lateral movement from the devices. The earliest date for observed exploitation was May 17, 2026.
Rapid7 MDR observed a second wave of exploitation on May 21st. Due to the consistent MAC address, Rapid7 believes both waves of exploitation are likely from the same threat actor. However, the second wave of compromises originated from the hosting provider, Dromatics Systems. In this wave of exploitation, Rapid7 observed VPN IP assignment following the cookie authentication, granting them access to the internal network.
The other piece worth noting: despite its medium CVSSv4 score, Rapid7 urges organizations to treat CVE-2026-0257 as a critical-priority vulnerability. An authentication bypass on an internet-facing enterprise VPN appliance represents a significant initial access vector, and with active exploitation confirmed and a public proof-of-concept script now available, the window for safe remediation is closing fast. Once a working PoC is public, mass scanning by lower-skilled criminal groups typically follows within days.
Does this affect my small business?
Most York County small businesses don't run a Palo Alto firewall themselves — but plenty of them sit behind one through a parent organization, a vendor, a co-working space, or an outsourced IT provider whose stack includes PAN-OS. If any of those apply, the question to ask is: "Is our GlobalProtect deployment in the vulnerable configuration, and is it patched?"
Affected products must have the authentication override feature enabled in either the GlobalProtect portal or gateway, and must reuse the authentication override cookie encryption and decryption certificate with another feature in order to be vulnerable. As a mitigation, affected products should either disable the authentication override feature or generate a new certificate to use exclusively for the authentication override feature. Key fixed versions include PAN-OS 12.1.4-h6 / 12.1.7, PAN-OS 11.2.12, PAN-OS 11.1.15, and PAN-OS 10.2.18-h6, among others.
If you're not on Palo Alto at all, this story still matters. The pattern — attackers targeting the VPN appliance itself rather than user passwords — is now standard playbook. SonicWall, Fortinet, Cisco, and Ivanti have all had similar flaws this year. Hardening, monitoring, and rapid patching of remote-access gear is one of the core jobs covered under York Computer's managed IT and cybersecurity services.
What your managed-IT provider should be doing this week
A competent MSP should already be running through this checklist for every client touching a Palo Alto firewall:
1. **Inventory.** Confirm whether any PAN-OS firewall or Prisma Access tenant is in scope, and on what version. 2. **Check the vulnerable configuration.** Verify whether "Generate cookie for authentication override" or "Accept cookie for authentication override" is enabled on the portal or gateway, and whether the cookie certificate is shared with the HTTPS service. 3. **Patch or mitigate today.** Either upgrade to a fixed PAN-OS release or disable authentication override and rotate the certificate. The CISA deadline for federal agencies is days away; private businesses shouldn't be slower than the government on an actively-exploited bug. 4. **Hunt for prior compromise.** Pull GlobalProtect and authentication logs and look for VPN sessions established without a matching authentication success event, unusual source IPs, or unfamiliar MAC addresses. Rapid7 noted that some victims saw full internal-network access following the cookie bypass. 5. **Enforce MFA on the VPN.** Even with the bypass, requiring step-up authentication for sensitive internal resources limits what a forged session can reach.
If your IT provider can't answer "are we exposed to CVE-2026-0257, yes or no, with evidence" by the end of this week, that's the real story. The vulnerability is the symptom; the bigger question is whether someone is actively watching your perimeter.
What York Businesses Should Do
For York County businesses with remote workers, hybrid offices, or vendor VPN tunnels, this is the week to ask your IT provider for a written status on every internet-facing firewall and VPN appliance — Palo Alto or otherwise. York Computer is happy to do a no-cost perimeter check for local small businesses that aren't sure where they stand.
Sources
- CISA Adds PAN-OS GlobalProtect CVE-2026-0257 to KEV — Patch by Deadline
- Rapid7 Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257)
- PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation
- Palo Alto Networks Security Advisory: CVE-2026-0257
- Palo Alto Networks PAN-OS Authentication Vulnerability Bypass Exploited in the Wild