Palo Alto Networks has issued a warning regarding active exploitation of a recently disclosed security flaw affecting PAN OS and Prisma Access environments. The vulnerability, tracked as CVE-2026-0257, has a CVSS severity score of 7.8 and involves an authentication bypass issue affecting GlobalProtect portal and gateway functionality. Security experts have cautioned that threat actors are attempting to exploit vulnerable systems to establish unauthorized VPN connections, potentially allowing access to protected internal networks. The company initially disclosed details about the flaw through a security advisory published on May 13, 2026, highlighting risks to organizations relying on affected configurations.
According to Palo Alto Networks, the issue specifically impacts firewalls configured with GlobalProtect portal or gateway services where authentication override cookies are enabled alongside a particular certificate configuration. Under these conditions, attackers may be able to bypass authentication controls and establish unauthorized VPN sessions without valid credentials. The company explained that the vulnerability enables attackers to evade security restrictions that are normally designed to protect enterprise network access. In an updated advisory released on May 29, 2026, Palo Alto Networks confirmed it had become aware of limited exploitation attempts targeting unpatched PAN OS devices where recommended mitigations had not been applied. Although the exploitation activity has been described as limited, the confirmation raised concerns for organizations operating exposed systems, particularly those managing remote access infrastructure.
The warning follows separate findings from cybersecurity company Rapid7, which reported observing successful exploitation attempts across multiple customer environments. According to Rapid7, the earliest exploitation efforts linked to the vulnerability date back to May 17, 2026, followed by a second wave of attacks identified on May 21. Researchers believe both campaigns were conducted by the same threat actor based on similarities in behavior and attack methodology. During the second observed activity wave, attackers reportedly obtained VPN assigned IP addresses after bypassing cookie based authentication in at least two documented cases, allowing access to internal corporate networks. Rapid7 stated that while unauthorized VPN sessions were successfully established, no additional suspicious activity was observed in the affected customer environments after network access had been gained.
Cybersecurity experts have emphasized the seriousness of authentication bypass vulnerabilities affecting internet facing enterprise VPN appliances because of their ability to provide unauthorized entry into organizational networks. Rapid7 urged affected organizations to apply vendor supplied security patches as quickly as possible to reduce exposure. As interim protections, Palo Alto Networks recommended disabling the authentication override feature or generating a separate certificate exclusively for authentication override functionality to limit the risk of abuse. The active exploitation of CVE-2026-0257 also comes amid broader concerns about attackers targeting enterprise infrastructure vulnerabilities. Recently, cybersecurity firm Arctic Wolf reported continued weaponization of the previously patched FortiClient Endpoint Management Server vulnerability tracked as CVE-2026-35616, carrying a CVSS score of 9.1, which has been exploited to deliver credential stealing malware known as EKZ Infostealer.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
