CVE-2026-0257: CISA Adds Actively Exploited Palo Alto PAN-OS Authentication Bypass to KEV — Two Attack Waves Confirmed, Federal Deadline June 19

Sources: Palo Alto Networks Official Advisory (May 13 + May 30 update) · CISA KEV Catalog · Rapid7 MDR Exploitation Report · The Hacker News · GBHackers · CybersecurityNews · Cyberpress · Cryptika · Threat-Modeling.com | CVE: CVE-2026-0257 | CVSS: 9.1 (updated May 30 — raised from 7.8) | CWE: CWE-565 — Reliance on Cookies Without Validation and Integrity Checking | CISA KEV added: May 29, 2026 | Federal deadline: June 19, 2026

Your firewall’s VPN is letting attackers in — without a password

Palo Alto Networks firewalls are among the most trusted network security devices in enterprise and government infrastructure. They sit at the network perimeter — the first and most critical line of defense. The GlobalProtect VPN service built into PAN-OS is how tens of thousands of organizations provide secure remote access to employees and contractors. When that VPN authentication mechanism is broken, attackers do not need to defeat the firewall. They walk through the front door as an authorized user.

CVE-2026-0257 is exactly this scenario. Palo Alto Networks disclosed the vulnerability on May 13, 2026, warning that a remote unauthenticated attacker can forge authentication override cookies and establish unauthorized VPN connections through the GlobalProtect gateway — bypassing every authentication control the organization has deployed, including multi-factor authentication in many configurations. Rapid7 MDR confirmed the earliest real-world exploitation on May 17, just four days after disclosure. CISA added the vulnerability to the Known Exploited Vulnerabilities catalog on May 29 with a federal remediation deadline of June 19, 2026. Palo Alto updated its own advisory on May 30 to confirm exploitation and raised the severity from CVSS 7.8 to 9.1.

Two distinct attack waves have already been documented. The campaign is active. If you run PAN-OS with GlobalProtect, you are in the target set.

The root cause: a certificate configuration that breaks the authentication model

PAN-OS includes a feature called authentication override — a non-default configuration that issues session cookies to already-authenticated users, eliminating the need for them to re-authenticate on every VPN connection. This is a legitimate feature designed to improve user experience in environments where repeated authentication prompts create operational friction.

The vulnerability is triggered by a specific certificate configuration condition: when the certificate used to sign and encrypt the authentication override cookies is shared with another service — most commonly the GlobalProtect portal’s own HTTPS service. This sharing condition, which can occur in common deployment configurations, means that a party with access to the shared certificate can craft tokens that appear valid to the authentication override mechanism.

An unauthenticated remote attacker who identifies this condition can forge authentication override cookies that the GlobalProtect gateway treats as legitimate. The gateway accepts the forged cookie as proof of authentication, establishes a VPN session, and grants the attacker network-level access equivalent to any authorized VPN user — without a username, without a password, and without triggering any authentication failure alert. The attacker appears to the gateway as a fully authenticated session.

Palo Alto Networks’ own advisory stated: “Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS software allow the attacker to bypass security restrictions and establish an unauthorized VPN connection.” Critically, in configurations where MFA is enforced at the VPN gateway level, the forged cookie bypasses the MFA check entirely — because the cookie is treated as post-authentication state rather than as credentials requiring verification.

Two confirmed attack waves — Rapid7 MDR saw successful exploitation across multiple customers

Rapid7’s Managed Detection and Response team identified real-world exploitation beginning on May 17, 2026 — four days after Palo Alto’s initial disclosure — and has documented two distinct attack waves with different infrastructure signatures:

Wave 1 — May 17–20, Vultr infrastructure

The first exploitation wave used IP addresses hosted on Vultr, a commodity cloud hosting provider frequently used by threat actors for initial-stage infrastructure due to its accessibility and rapid provisioning. Attackers initiated suspicious cookie-based authentication requests targeting local administrator accounts on GlobalProtect gateways across multiple Rapid7 customer environments simultaneously — indicating automated or scripted exploitation rather than manual targeted attacks. The attackers used the machine hostname GP-CLIENT alongside a spoofed MAC address to impersonate a legitimate GlobalProtect client endpoint.

Wave 2 — May 21 onward, Dromatics Systems infrastructure

A second wave commenced on May 21, 2026, with attack traffic originating from IP addresses hosted by Dromatics Systems — a different hosting provider, suggesting either a separate threat actor cluster or infrastructure rotation by the original group to avoid IP-based blocks applied after Wave 1. The same exploitation technique was used: forged authentication override cookies targeting local admin accounts with the GP-CLIENT hostname. Rapid7 confirmed that in both waves, attackers achieved successful VPN authentication — establishing actual network access, not just probe-level reconnaissance.

While Rapid7 did not observe lateral movement from the compromised VPN sessions in the confirmed cases, the key operational point is this: successful VPN authentication gives the attacker network-level access equivalent to any legitimate remote user. That means access to internal hosts, internal services, internal network segments — everything the VPN is designed to reach. Whether lateral movement was observed in the monitored sample does not mean it did not occur in unmonitored environments, or that it will not occur in the next exploitation attempt.

Why VPN authentication bypasses are tier-1 enterprise threats

VPN infrastructure occupies a privileged position in enterprise security architecture — it is the boundary control between untrusted external networks and trusted internal resources. When VPN authentication is compromised, the blast radius is not a single workstation or a single application. It is the entire internal network segment accessible through the VPN — which in most enterprise deployments is a very large portion of the organization’s infrastructure.

The Verizon DBIR 2026, which DataWater analyzed on May 26, found that VPN credential abuse and authentication bypass are among the primary initial access vectors in ransomware attacks — appearing in the breach chain at a rate consistent with the current exploitation pattern for CVE-2026-0257. CISA has noted that the ransomware connection for this vulnerability is under active investigation. The exploitation profile — mass scanning across multiple environments, targeting local admin accounts, originating from commodity hosting infrastructure — is consistent with initial access broker activity: attackers who gain VPN footholds and then sell that access to ransomware operators.

PAN-OS devices are deployed extensively across government agencies, financial institutions, healthcare networks, and critical infrastructure — precisely the sectors that ransomware groups and nation-state actors target at the highest rates. This is not a peripheral vulnerability. It sits at the outer edge of enterprise network security and, when exploited successfully, gives attackers the same level of internal access they would have after defeating every other perimeter control.

Am I affected? How to check

The vulnerability affects PAN-OS devices with GlobalProtect portal or gateway configured when both of the following conditions are present:

• Authentication override cookies are enabled on the GlobalProtect portal or gateway configuration
• The certificate used for authentication override cookie encryption is shared with another service — most commonly, the same certificate is used for the GlobalProtect portal’s HTTPS interface

To check your configuration in the PAN-OS management interface:

1. Navigate to Network → GlobalProtect → Gateways → [your gateway] → Authentication
2. Check whether Generate cookie for authentication override is enabled
3. If enabled, check the Cookie Encryption/Decryption Certificate field
4. Navigate to Network → GlobalProtect → Portals → [your portal] → Authentication
5. Check whether the same certificate appears in the portal’s HTTPS configuration under Network → GlobalProtect → Portals → [your portal] → General → SSL/TLS Service Profile
6. If both are using the same certificate, you are in the vulnerable configuration

Detection: how to identify active exploitation attempts

Rapid7 has published specific detection signatures based on the confirmed exploitation patterns from both waves. Security teams should immediately implement the following detections:

• Alert on VPN authentication from hostname “GP-CLIENT” — this is the confirmed attacker-spoofed machine name used in both exploitation waves. Any GlobalProtect authentication event showing this hostname should be treated as a confirmed exploitation attempt until proven otherwise. Legitimate GP-CLIENT hostnames do exist — but their combination with local admin account authentication is highly anomalous.
• Alert on cookie-based authentication to local administrator accounts — Rapid7’s detections include “Suspicious VPN Authentication – PAN-OS GlobalProtect Login via Default Hostname” and “Suspicious VPN Authentication – Local Account Logon via Generic Non-Human Identity.” Local admin account VPN logins via cookie authentication outside known management workflows are the primary behavioral signature of this exploit.
• Review GlobalProtect authentication logs for the May 17–present window — check for successful VPN authentications from IP ranges associated with Vultr or Dromatics Systems hosting infrastructure. Any successful cookie-based authentication to a local admin account during this window should be investigated as a potential prior compromise.
• Check for unusual internal network activity post-VPN connection — if exploitation was successful before detection, the attacker had network-level access. Look for internal reconnaissance activity (port scans, LDAP queries, SMB enumeration) originating from VPN IP pool addresses at times inconsistent with legitimate remote work patterns.

Remediation steps

1. Apply the Palo Alto Networks patch for your PAN-OS version immediately. Consult the official Palo Alto security advisory at security.paloaltonetworks.com/CVE-2026-0257 for the specific fixed software version for your release train. All supported PAN-OS versions have fixes available. This is the definitive remediation — all other mitigations are temporary.
2. If you cannot patch immediately — disable authentication override cookies. Navigate to Network → GlobalProtect → Gateways → Authentication and disable Generate cookie for authentication override. Do the same for all GlobalProtect portal configurations. This eliminates the exploitable attack surface entirely, at the cost of requiring users to re-authenticate on each VPN connection. This is a temporary operational degradation, not a permanent fix.
3. If disabling cookies is not operationally feasible — use a dedicated certificate. Generate and assign a certificate that is used exclusively for authentication override cookie signing and is not shared with any other service, particularly not the GlobalProtect portal’s HTTPS interface. This closes the specific certificate-sharing condition the vulnerability requires.
4. Restrict GlobalProtect gateway access at the network perimeter. If your GlobalProtect gateway is accessible from the open internet to any source IP, consider restricting inbound DTLS/TLS access to known egress IP ranges for your user population. This does not patch the vulnerability but significantly reduces the automated scanning surface that Wave 1 and Wave 2 exploited.
5. Run the Rapid7 detection queries immediately for the May 17–present window. Any successful cookie-based VPN authentication to local admin accounts during this period should be treated as a confirmed compromise until forensically ruled out. Engage Palo Alto support for incident response guidance if compromise is suspected.
6. Rotate all local administrator credentials on GlobalProtect gateways regardless of whether you suspect exploitation. The Wave 1 and Wave 2 attacks specifically targeted local admin accounts — these credentials are the highest-value target on the device and should be treated as potentially observed by the attacker even in environments where active exploitation was not confirmed.
7. For Prisma Access deployments — check whether authentication override cookies are enabled in your Prisma Access configuration. The vulnerability affects Prisma Access as well. Palo Alto’s advisory includes Prisma Access-specific guidance.
8. Federal agencies must comply with CISA BOD 22-01 by June 19, 2026. Document your remediation status and report to CISA per directive requirements.

Context: Palo Alto PAN-OS is a recurring high-value target in 2026

CVE-2026-0257 is the second actively exploited critical PAN-OS vulnerability DataWater has covered in 2026. In May 2026, DataWater reported on CVE-2026-0300 — a CVSS 9.3 buffer overflow in PAN-OS’s Captive Portal service that was also confirmed exploited in the wild and patched in May. The pattern of sustained attacker focus on Palo Alto PAN-OS reflects the same dynamic driving the surge in Cisco SD-WAN exploitation documented in the Verizon DBIR 2026: network security appliances occupy a uniquely privileged position in enterprise architecture, they are typically internet-facing by design, and compromising them yields network-wide access that would otherwise require defeating multiple additional security controls.

Security teams managing PAN-OS environments should treat this as an ongoing threat category, not an isolated incident. Establish a rapid patch deployment process specifically for PAN-OS security updates, monitor Palo Alto’s security advisory feed actively, and apply the detection rules above as standing detections rather than one-time incident checks.

Sources and further reading

• Palo Alto Networks — Official Security Advisory CVE-2026-0257 (updated May 30, 2026)
• Rapid7 — Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass CVE-2026-0257
• The Hacker News — PAN-OS GlobalProtect Authentication Bypass CVE-2026-0257 Under Active Exploitation
• GBHackers — CISA Warns of Active Exploitation of Palo Alto Networks PAN-OS Vulnerability
• CybersecurityNews — CISA Flags Palo Alto Networks PAN-OS Vulnerability as Exploited in Attacks
• Cyberpress — CISA Flags Palo Alto PAN-OS Flaw as Actively Exploited
• Threat-Modeling.com — PAN-OS GlobalProtect Authentication Bypass CVE-2026-0257: Full Analysis
• CISA — Known Exploited Vulnerabilities Catalog (CVE-2026-0257 entry)

DataWater publishes daily cybersecurity intelligence for enterprise and government security leaders. Article #19 — June 2, 2026. Previous: CISA Warning Nx Console / GitHub (May 29) · CVE-2026-34926 Trend Micro Apex One (May 26) · Verizon DBIR 2026 (May 26) · MiniPlasma Windows zero-day (May 19) · CVE-2026-42897 Exchange OWA (May 19) · Fragnesia CVE-2026-46300 (May 18) · CVE-2026-20182 Cisco SD-WAN CVSS 10.0 (May 16).