Cybersecurity researchers and government agencies are sounding the alarm after attackers began actively exploiting a newly disclosed vulnerability affecting Palo Alto Networks’ widely used GlobalProtect VPN platform, raising fears of large-scale corporate network intrusions.
The flaw, tracked as CVE-2026-0257, affects PAN-OS software used in Palo Alto Networks firewall appliances and enables threat actors to bypass authentication protections under certain configurations. Security experts warn the vulnerability could allow unauthorized users to establish VPN connections into enterprise environments without possessing legitimate credentials.
The vulnerability was initially disclosed earlier this month with a “Medium” severity rating. However, Palo Alto Networks sharply escalated its assessment on Friday after confirming that hackers had already begun exploiting unpatched systems in real-world attacks.
The company now classifies the issue as “High” severity following evidence of active exploitation targeting internet-facing GlobalProtect gateways.
The development highlights growing concerns within the cybersecurity community over the speed at which attackers weaponize newly disclosed vulnerabilities, particularly those affecting remote access infrastructure widely deployed across corporate and government networks.
Exploitation Attempts Detected Worldwide
In an updated security advisory, Palo Alto Networks acknowledged that exploit attempts against vulnerable devices are already underway.
“Palo Alto Networks has become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied,” the company stated.
The warning followed a separate investigation by cybersecurity firm Rapid7, whose Managed Detection and Response (MDR) team said it observed exploitation activity beginning as early as May 17, only days after technical details surrounding the flaw became public.
According to Rapid7 researchers, attacks were identified across numerous customer environments, signaling that threat actors rapidly operationalized the vulnerability after disclosure.
“The earliest date for observed exploitation was May 17, 2026,” Rapid7 said in its analysis, adding that affected organizations spanned multiple sectors.
While investigators did not observe widespread lateral movement after initial compromise, researchers emphasized that successful VPN authentication alone represents a severe risk because it grants attackers direct access to internal corporate networks.
How the Vulnerability Works
The vulnerability centers around a feature known as “authentication override cookies,” a mechanism designed to streamline user authentication for GlobalProtect VPN sessions.
Under normal circumstances, these cookies allow previously authenticated users to reconnect without repeatedly entering credentials. However, Rapid7 researchers discovered that PAN-OS improperly validates these cookies under specific configurations.
The flaw arises because affected devices decrypt the authentication cookie and trust its contents without adequately verifying its digital signature.
In environments where organizations reuse the same certificate for both HTTPS services and authentication override functionality, attackers can extract the corresponding public key from publicly accessible HTTPS sessions.
That public key can then be leveraged to forge seemingly legitimate authentication cookies capable of impersonating arbitrary users — including local administrator accounts.
In practical terms, the flaw allows attackers to bypass traditional authentication mechanisms entirely.
Rapid7 researchers developed a proof-of-concept exploit demonstrating how attackers could retrieve exposed certificates, generate forged authentication cookies, and successfully authenticate to vulnerable GlobalProtect gateways without valid credentials.
The attack method underscores the dangers of certificate reuse across multiple security functions, a practice still common in many enterprise environments despite longstanding warnings from cryptographic specialists.
VPN Infrastructure Remains a Prime Target
The incident is the latest reminder that VPN infrastructure continues to serve as one of the most attractive targets for cybercriminals, ransomware groups, and state-sponsored hackers.
Since the COVID-19 pandemic accelerated remote work adoption, VPN gateways have become essential components of enterprise security architecture. However, their internet-facing nature makes them high-value entry points for attackers seeking initial access into corporate environments.
Over the past several years, vulnerabilities affecting VPN vendors including Palo Alto Networks, Ivanti, Fortinet, and Cisco have repeatedly enabled widespread cyber intrusions.
In many cases, attackers exploit these flaws within days — or even hours — of public disclosure.
VPN appliances are particularly dangerous targets because successful exploitation often bypasses endpoint detection systems and provides direct network-level access.
Once an attacker successfully authenticates through a VPN appliance, they effectively appear as a trusted internal user, dramatically complicating detection efforts.
Attack Infrastructure Linked to Cloud Hosting Providers
Rapid7’s investigation also shed light on the infrastructure used during the exploitation attempts.
Researchers said the first wave of attacks originated from servers hosted by cloud provider Vultr. A second wave was later traced to infrastructure associated with Dromatics Systems.
The use of rented cloud infrastructure has become increasingly common among sophisticated cybercriminal groups because it allows attackers to rapidly rotate servers, obscure attribution, and blend malicious traffic into otherwise legitimate cloud-hosted activity.
Although attribution remains unclear, researchers noted that the exploitation patterns resembled rapid opportunistic scanning campaigns frequently associated with financially motivated threat actors.
Once public exploit code becomes available, broader exploitation often follows quickly as less sophisticated attackers adopt the techniques.
CISA Adds Flaw to Known Exploited Vulnerabilities List
The seriousness of the threat escalated further after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog.
The KEV catalog is reserved for vulnerabilities actively exploited in the wild and considered especially dangerous to government and critical infrastructure systems.
Under Binding Operational Directive requirements, federal civilian agencies must remediate the flaw by June 1, 2026.
Inclusion in the KEV list often signals elevated concern among federal cybersecurity officials and typically prompts broader patching efforts across both public and private sectors.
Cybersecurity professionals frequently monitor the KEV catalog because vulnerabilities added to the list are often targeted aggressively by ransomware groups and nation-state operators.
Organizations Urged to Patch Immediately
Palo Alto Networks and third-party researchers are strongly urging organizations to immediately install the latest PAN-OS security updates.
Security teams are also being advised to audit GlobalProtect configurations for risky certificate reuse practices and disable authentication override cookies where possible.
Organizations unable to patch immediately should implement temporary mitigations, including:
- Disabling authentication override functionality
- Using separate certificates for HTTPS services and authentication cookies
- Restricting VPN exposure through network segmentation
- Monitoring VPN authentication logs for anomalies
- Reviewing administrator account activity
- Conducting threat hunts for unauthorized VPN sessions
Internet-exposed VPN infrastructure is routinely scanned by attackers within minutes of vulnerability disclosures.
Organizations should assume that any vulnerable device exposed online will eventually be targeted.
Broader Concerns Over Enterprise Edge Security
The incident has reignited broader concerns about enterprise edge security and the increasing concentration of critical trust functions inside externally exposed appliances.
Modern firewall and VPN platforms frequently combine authentication, certificate management, web services, remote access, and traffic inspection into a single device. While operationally convenient, security researchers argue that this architectural consolidation increases systemic risk.
When edge appliances fail, they fail catastrophically, a single bypass can expose the entire internal network.
Attackers increasingly prioritize edge devices because they often operate outside traditional endpoint visibility and are patched less frequently than operating systems or desktop applications.
Recent years have seen a surge in attacks targeting edge infrastructure, with VPN vulnerabilities repeatedly serving as the initial foothold for ransomware operations, espionage campaigns, and data theft incidents.
Rising Pressure on Security Teams
The Palo Alto incident also illustrates the mounting pressure faced by enterprise security teams struggling to respond to a relentless stream of critical vulnerabilities.
Organizations must now manage increasingly compressed timelines between disclosure and active exploitation.
According to multiple cybersecurity studies, the average “time-to-exploit” for public vulnerabilities has dropped dramatically over the past decade, with some flaws weaponized in less than 24 hours.
Security leaders warn that defenders are increasingly operating in a reactive environment where patch management alone may no longer provide sufficient protection.
As exploitation activity continues to expand, cybersecurity experts expect intensified scanning of internet-facing PAN-OS devices worldwide in the coming days.
For organizations relying on GlobalProtect VPN systems, the window for preventative action may be rapidly closing.
