Palo Alto Networks PAN-OS GlobalProtect — CVE-2026-0257

On 13 May 2026, Palo Alto Networks published an advisory for CVE-2026-0257, an authentication-override flaw in the GlobalProtect portal and gateway components of PAN-OS. The vulnerability carries a CVSS base score of 7.8. The bug exists in a non-default feature called authentication override, which allows GlobalProtect to issue session cookies to already-authenticated users so they do not re-authenticate against the directory on every reconnection. The flaw is triggered only when the certificate used to encrypt and decrypt those override cookies is reused for another GlobalProtect feature — typically the HTTPS service certificate. In that configuration, the public key for the override-cookie certificate is recoverable from a routine TLS handshake, and an unauthenticated attacker can use it to forge arbitrary authentication-override cookies that the gateway will accept. The result is a remote, unauthenticated VPN session into the enterprise network from an internet-facing appliance.

Rapid7’s Managed Detection and Response team published exploitation evidence on 29 May. The earliest in-the-wild activity it observed was 17 May 2026, with a first wave originating from Vultr-hosted IPs using the hostname GP-CLIENT against the local administrator account, followed by a second wave on 21 May from Dromatics Systems infrastructure using the hostname DESKTOP-GP01. Both waves used the same spoofed MAC address (aa:bb:cc:dd:ee:ff). In the second wave, some victim environments granted the attacker a full VPN IP assignment after cookie authentication, placing an unauthenticated party directly inside internal address space. Rapid7 has not reported lateral movement beyond the initial VPN session in the observed cases, but the observed pattern (attempts against multiple customer environments in waves, days apart, from rotating ASN infrastructure) is consistent with access-broker reconnaissance rather than a single targeted campaign.

CISA added CVE-2026-0257 to the Known Exploited Vulnerabilities catalogue on 29 May 2026 and set a federal civilian agency mitigation deadline of 1 June 2026. Palo Alto Networks updated its advisory the same day to reflect confirmed exploitation. The vendor mitigation guidance is to apply the relevant PAN-OS fixed-version update, or — for organisations that cannot upgrade in the deadline window — to remove the certificate reuse by issuing a dedicated certificate for authentication-override cookies, or by disabling the authentication-override feature entirely in the GlobalProtect portal and gateway configuration.

The editorial significance here sits one layer below the CVE. GlobalProtect is the standard remote-access appliance across a large share of the UK financial-services estate, alongside its closest competitors in the perimeter VPN category. Every previous high-severity authentication-bypass class flaw in a perimeter VPN appliance over the past five years — Pulse Secure SSL VPN (pulse-secure-vpn), Ivanti Connect Secure, Citrix NetScaler, Fortinet FortiOS — has turned, within months, into a documented initial-access vector for ransomware operations. The pattern is the same each time: an unauthenticated remote attacker who can present as a valid VPN client bypasses the entire identity-perimeter design and lands inside the segmented enterprise zone the appliance was supposed to defend. The 1 June federal deadline is the headline; the more important number, once disclosure firms up, is going to be how many private-sector estates were patched before 17 May and how many were not.

A deep-dive will follow once at least one named victim is publicly attributed to a CVE-2026-0257 chain, or once Palo Alto Networks publishes a post-incident attack-pattern document. Until then, this is the catalogue’s reference stub for the CVE itself.