Palo Alto Networks has warned that a medium-severity security flaw affecting PAN-OS and Prisma Access has recently been disclosed and is being exploited in the wild.
This vulnerability is tracked as CVE-2026-0257 (CVSS score: 7.8) and refers to a case of authentication bypass that can be exploited by a malicious attacker to set up a VPN connection.
“An authentication bypass vulnerability in the GlobalProtect Portal and Gateway in Palo Alto Networks PAN-OS® software could allow an attacker to bypass security restrictions and establish unauthorized VPN connections,” Palo Alto Networks said in an advisory released on May 13, 2026.
The network security company said this issue specifically affects firewalls on which the GlobalProtect portal or gateway is configured when authentication override cookies are enabled and certain certificate configurations are present.
In a May 29, 2026 advisory update, Palo Alto Networks said it was “aware of limited exploitation attempts against unmitigated and unpatched PAN-OS devices.”
The development comes after Rapid7 revealed it had identified a successful exploit across a number of customers, with the first effort dating back to May 17, 2026, followed by a second wave on May 21. Both sets of exploits are believed to be the work of the same threat actor.
Activity observed in the second wave included cookie authentication followed by VPN IP assignment in two cases, granting attackers access to internal networks. The cybersecurity vendor added that no further activity occurred in the customer environment where the VPN session was established.
“Authentication bypass on edge-facing enterprise VPN appliances can have a significant impact on affected organizations,” Rapid7 said. “As a result, organizations running affected appliances are urged to urgently upgrade to vendor-provided patches.”
As a temporary mitigation, we recommend that you disable the Authentication Override feature or generate a new certificate to use specifically for the Authentication Override feature.
The exploitation of CVE-2026-0257 follows Arctic Wolf’s reporting that a critical security flaw affecting FortiClient Endpoint Management Server (EMS) deployments (CVE-2026-35616, CVSS score: 9.1) continues to be weaponized and now patched to deliver credential-stealing malware known as EKZ Infostealer.
Source link
