A critical vulnerability in Palo Alto Networks' PAN-OS, identified as CVE-2026-0257, is being actively exploited. The flaw affects both PAN-OS and Prisma Access, and it has been added to the Known Exploited Vulnerabilities catalog by CISA on May 29, 2026. This vulnerability allows attackers to bypass authentication, enabling unauthorized access through VPN connections via the GlobalProtect gateway.
Palo Alto Networks released a security advisory on May 13, 2026, outlining the risk posed by CVE-2026-0257. The vulnerability is linked to a non-default feature called 'authentication override.' This feature provides session cookies to authenticated users, which are similar to bearer tokens, eliminating the need for repeated authentication. The issue arises when the certificate used for these cookies is shared with another feature, such as the portal or gateway's HTTPS service. Because the decryption process does not verify signatures, attackers who access the public key from the HTTPS certificate can forge authentication cookies, bypassing authentication entirely.
Rapid7 first identified exploitation of this vulnerability on May 17, 2026, with attacks traced back to IP addresses hosted on Vultr. The attackers used a fake machine name and a spoofed MAC address to impersonate legitimate endpoints. A second wave of attacks was detected on May 21, 2026, originating from Dromatics Systems, also using a spoofed MAC address. In some cases, attackers gained direct access to internal networks by establishing full VPN sessions after bypassing authentication.
Organizations using PAN-OS and Prisma Access are urged to update to the latest software versions immediately. Fixed versions include PAN-OS 12.1.4-h6 / 12.1.7 and PAN-OS 11.2.12. For Prisma Access, version 11.2.0 requires 11.2.7-h13 or later, and version 10.2.0 requires 10.2.10-h36 or later. Rapid7 stresses the critical nature of this vulnerability, warning that the ongoing exploitation poses a significant threat, especially with a public proof-of-concept script now available.


