Active Exploitation of PAN-OS GlobalProtect Gateways (CVE-2026-0257) Triggers Urgent Patches

Attackers are already inside. A high-severity authentication bypass vulnerability in Palo Alto Networks GlobalProtect portals and gateways is actively being exploited in the wild, giving remote attackers an easy way to set up unauthorized VPN access straight into corporate networks. It is a nasty bug. The flaw, tracked as CVE-2026-0257, is dangerous enough that the Cybersecurity and Infrastructure Security Agency (CISA) just added it to its Known Exploited Vulnerabilities (KEV) catalog, giving federal agencies a hard deadline to patch.

How It Played Out

Palo Alto Networks first disclosed the issue on May 13, 2026, noting that it affected both PAN-OS and Prisma Access. It didn’t take long for hackers to pounce. By May 17, Rapid7’s Managed Detection and Response (MDR) teams were already seeing successful real-world attacks across multiple customer environments. That is a tight window.

By May 29, Palo Alto Networks had to update its advisory, warning that unpatched devices were facing active, targeted attacks. CISA did not wait around, either. They put the CVE on their KEV list that very same day (May 29), giving federal groups a strict timeline to get their systems locked down. If you run these gateways, you are in the crosshairs. Attackers love perimeter access because it bypasses almost everything else, and this incredibly fast turnaround from advisory to active exploitation shows exactly why they target these edge devices first.

The Technical Details

This bug lives in a specific setting. You are only vulnerable if you have the “authentication override” feature turned on. It is a handy feature that generates and accepts cookies to save users from constantly logging back in, but it completely breaks if you reuse your certificates.

If the certificate you use to encrypt and decrypt those authentication override cookies is the exact same one you use for the gateway’s HTTPS service, you have a major problem. Attackers can abuse this shared certificate to forge valid authentication cookies. Since the firewall trusts the certificate, it trusts the forged cookie. The result? A remote, unauthenticated attacker can walk right past your login screens and open a full VPN tunnel without entering a single valid password. It is that simple.

Why Edge Devices Keep Getting Hit

Firewalls and VPN gateways are the internet’s front doors, and hackers are tired of picking locks when they can just walk through a broken door. In the past, attackers spent weeks crafting perfect phishing emails to trick employees. Now, they just go after the edge.

Gateways sit directly on the public internet, completely exposed, making them incredibly tempting targets for initial access brokers and state-sponsored APT groups. They also have huge privileges. Once an attacker gets past the gateway’s authentication, they are not just on a single employee’s laptop—they are sitting inside a highly trusted, deeply connected segment of the internal corporate network. From there, they can pivot wherever they want.

How to Fix It

If you manage these devices, stop what you are doing and fix this now. You have three ways to handle this.

1. Patch your systems immediately. This is the best fix. Palo Alto Networks has pushed out updates, so get your systems upgraded to one of these safe versions:

   • PAN-OS 12.1: 12.1.4-h6, 12.1.7, or later
   • PAN-OS 11.2: 11.2.4-h17, 11.2.7-h14, 11.2.10-h7, 11.2.12, or later
   • PAN-OS 11.1: 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, 11.1.15, or later
   • PAN-OS 10.2: 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, 10.2.18-h6, or later
   • Prisma Access: 11.2.7-h13 (or later) or 10.2.10-h36 (or later)

2. Turn off the override feature. If patching is going to take time, go into your PAN-OS management interface right away. Look under your GlobalProtect portal and gateway agent configurations and uncheck both “Generate cookie for authentication override” and “Accept cookie for authentication override”.

3. Get a dedicated certificate. If you must keep the override feature running, generate a brand-new, unique certificate used exclusively for encrypting and decrypting these cookies. Make sure it is completely isolated and never shared with the gateway or portal’s HTTPS service.

Sources

1. Palo Alto Networks Advisory: https://advisories.paloaltonetworks.com/CVE-2026-0257
2. CISA KEV Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
3. Rapid7 MDR Threat Intelligence: https://www.rapid7.com/blog/cve-2026-0257-active-exploitation
4. Proof-of-Concept & Vulnerability Research: https://github.com/sfewer-r7/CVE-2026-0257