Recently, cybersecurity firm Rapid7 reported that attackers are actively exploiting a vulnerability in Palo Alto Networks’ GlobalProtect portal and gateway. This issue, identified as CVE-2026-0257 and assigned a CVSS score of 7.8, was publicly disclosed shortly before exploitation began. The flaw allows unauthorized users to bypass authentication and establish VPN connections to compromised systems.
Details of the Vulnerability
The vulnerability affects firewalls with GlobalProtect portal or gateway enabled under specific configurations, as outlined by Palo Alto Networks in their advisory on May 13. The company released patches to mitigate the issue, emphasizing the need for immediate updates due to the critical nature of the defect. Despite these efforts, malicious actors began exploiting the flaw shortly after its disclosure.
On the same day, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw to its Known Exploited Vulnerabilities catalog, urging rapid patch deployment by June 1. The National Institute of Standards and Technology (NIST) also marked the issue as critical, highlighting the potential impact on unpatched systems.
Observed Exploitation Activities
According to Rapid7, exploitation activities were first detected on May 17, involving suspicious cookie authentication to local admin accounts from the hosting provider Vultr. This pattern was observed across multiple customer environments. A subsequent wave of attacks was noted on May 21, originating from Dromatics Systems, where the threat actors used VPN IP assignments post-authentication to access internal networks.
The attackers successfully leveraged forged cookies to exploit the authentication bypass in multiple instances. Rapid7 noted that in eight out of ten attempts, the cookies were accepted without establishing a full VPN session, suggesting a sophisticated understanding of the vulnerability and its exploitation.
Mitigation and Defensive Measures
To aid organizations in identifying vulnerable systems, Rapid7 released a proof-of-concept script along with indicators of compromise. These tools are designed to help defenders pinpoint potential breaches and reinforce network security measures. Palo Alto Networks has provided patches in updates for PAN-OS versions 12.1, 11.2, 11.1, 10.2, and Prisma Access versions 11.2.0 and 10.2.0. Organizations are strongly advised to implement these updates promptly to mitigate risks.
In conclusion, the active exploitation of this vulnerability underscores the necessity for timely patch management and robust network defense strategies. As the cybersecurity landscape evolves, staying informed and proactive in addressing vulnerabilities remains crucial for safeguarding digital infrastructures.
