Skip to content

Palo Alto GlobalProtect Vulnerability Actively Exploited Days After Disclosure

In a nutshell: CVE-2026-0257 allows attackers to forge cookies and impersonate legitimate VPN users – Rapid7 rates the risk as critical despite a medium CVSS score.

A security vulnerability in Palo Alto’s VPN solution GlobalProtect is already being actively exploited just days after patches were released. Attackers bypass authentication and gain access to corporate networks without using malware or phishing.

The vulnerability CVE-2026-0257 in Palo Alto Networks GlobalProtect affects authentication cookie handling in PAN-OS. The gateway decrypts cookies with a private key but fails to verify their cryptographic signature. Attackers can extract the public key information and forge valid cookies – without malware, phishing, or stolen credentials.

Palo Alto initially rated the flaw as medium severity on May 13 and was unaware of active exploitation. However, Rapid7 identified successful exploits at numerous customers as early as May 17, four days after the patch release. On May 29, Palo Alto raised the CVSS score to 7.8 and marked the exploit status as “actively exploited”. Lateral movement was not observed by Rapid7 in the cases investigated.

The technical nature makes the vulnerability more dangerous than its medium severity classification suggests: the generated VPN sessions appear legitimate and are therefore harder to detect than classic intrusion scenarios. Attackers need neither malware nor phishing messages. The feature is disabled by default but has been enabled by many organizations to improve user convenience.

In the Zero Trust model, identity plays a critical role: an authentication bypass in remote access infrastructure compromises security perimeters independently of code execution. The actual enterprise risk arises from downstream activities such as lateral movement, credential harvesting, and persistent access under the guise of legitimate sessions. Rapid7 recommends treating the vulnerability as critical despite its medium CVSS classification.


Source: www.csoonline.com · Published June 2, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.2.9.

Share on: