CVE-2026-0257 is an "Authentication Bypass" vulnerability in firewalls manufactured by Palo Alto Networks, identified in a Palo Alto Networks public disclosure dated May 13th and exploited in limited ways.
In addition to this, Palo Alto Networks stated that through "authentication probes," attackers were able to successfully forge cookies. However, Rapid7 determined that 8 out of 10 impacted Managed Detection Response customers had created an unauthorized VPN connection by accepting the cookie prior to completing a full VPN session.
Fortunately, Palo Alto Networks reported that there is no evidence of success in laterally moving from the device.
Background information on CVE-2026-0257:
CVE-2026-0257 occurred because Palo Alto's firewalls were using cookies without performing the required level of validation and integrity checking. Due to this lack of validation, remote unauthenticated attackers could bypass security restrictions and create an unauthorized VPN connection.
CVE-2026-0257 affects Palo Alto Networks' physical and virtual firewalls utilizing PAN-OS software (which includes the GlobalProtect portal and gateway), as well as Prisma Access.
GlobalProtect is a remote access VPN solution developed by Palo Alto Networks, built into PAN-OS and integrated within the client-side component of Prisma Access. In other words, GlobalProtect utilizes PAN-OS firewall capabilities delivered as a service in the cloud as part of Prisma Access.
"This issue impacts firewalls where the GlobalProtect portal or gateway is configured if authentication override cookies are enabled and a specific certificate configuration exists," states Palo Alto Networks in the Security Advisory.
The authentication override feature provides authenticated users with cookies so they do not need to enter credentials on each connection. When a user obtains a certificate to encrypt and decrypt these cookies, that certificate is at times the same certificate used for the portal or gateway's HTTPS service, per Rapid7.
If a specific certificate configuration is present on the server side, an attacker can acquire the public key simply by accessing the HTTPS service and use it to forge a valid authentication override cookie, since the server decrypts and trusts the cookie content with no signature verification.
Exploit details:
Analysts at Rapid7 discovered two exploitation waves. The first wave began on May 17, 2026, and the second wave was discovered on May 21. Due to a consistent spoofed MAC address observed in both waves, Rapid7 believes both waves of exploitation are likely from the same threat actor.
Rapid7 provided indicators of compromise along with a proof-of-concept script defenders may use to determine if an appliance is susceptible to CVE-2026-0257.
Customers of Palo Alto that have not upgraded to a patched version should do so right away. Otherwise, disabling the authentication override feature or generating a new certificate used solely for the authentication override feature will reduce the likelihood of an attack against an appliance.
CISA added CVE-2026-0257 to their Known Exploited Vulnerabilities Catalog and has directed all US federal civilian agencies to remediate CVE-2026-0257 by June 1st, 2026. Rapid7 has noted their findings and released a proof-of-concept script on GitHub.