Palo Alto Networks has recently been embroiled in security challenges due to a vulnerability, CVE-2026-0257, affecting its PAN-OS and Prisma Access systems. This authentication bypass flaw has garnered attention after being actively exploited, prompting its inclusion in the Known Exploited Vulnerabilities (KEV) catalog by CISA on May 29, 2026.
Vulnerability Details and Exploitation
On May 13, 2026, Palo Alto Networks issued a security advisory regarding the vulnerability. The flaw allows remote attackers to forge authentication override cookies, enabling unauthorized VPN connections via the GlobalProtect gateway. This issue stems from a non-default feature known as “authentication override.”
The vulnerability is exploited when the certificate used for these override cookies is shared with other features, like the HTTPS service. The decryption process, lacking signature verification, allows attackers to bypass authentication by forging valid cookies.
Documented Attack Waves
Rapid7 reported the first instance of exploitation on May 17, 2026, with attacks traced back to IP addresses hosted on Vultr. Subsequent suspicious activities were noted on May 18, highlighting unauthorized cookie-based authentication attempts targeting local admin accounts.
A second wave on May 21, originating from Dromatics Systems, saw attackers using the machine name DESKTOP-GP01. This round involved full VPN IP assignments to attackers, granting them direct access to internal networks. Across both waves, the consistency in spoofed MAC addresses suggests a single threat actor was responsible.
Mitigation Measures and Urgent Actions
Organizations are urged to promptly update to patched versions of PAN-OS and Prisma Access. Critical updates include PAN-OS 12.1.4-h6 / 12.1.7, among others, and Prisma Access 11.2.7-h13 or later. Disabling the authentication override feature and using dedicated certificates for cookie encryption are recommended steps.
Security teams should actively hunt for Indicators of Compromise (IOCs) and deploy detection rules to safeguard against potential threats. Despite a medium CVSSv4 score, Rapid7 emphasizes the critical nature of CVE-2026-0257, given its potential as an entry point for attackers.
As the exploitation of this vulnerability continues, immediate action is vital to secure systems and prevent unauthorized network access. Organizations must prioritize these updates to protect their infrastructure from ongoing cyber threats.
