Palo Alto VPN flaw under active exploitation as federal remediation deadline expires

A critical authentication bypass vulnerability in Palo Alto Networks’ GlobalProtect VPN is being actively exploited to grant attackers unauthenticated access to enterprise networks, with federal agencies facing a remediation deadline today.

CVE-2026-0257, disclosed on May 13, allows attackers to forge authentication cookies and bypass VPN access controls entirely—including multi-factor authentication. Rapid7 confirmed the first wave of exploitation began May 17, just four days after public disclosure, with attacks originating from low-cost hosting providers including Vultr and Dromatics Systems.

The vulnerability affects PAN-OS versions 10.2.x through 11.1.x when GlobalProtect is configured with authentication override cookies enabled and the override certificate is shared with another service—typically HTTPS. Attackers retrieve the public key from exposed certificates and use it to mint valid authentication tokens, granting full VPN access without credentials.

Attack mechanics and scope

Rapid7’s managed detection and response team tracked two distinct exploitation waves. In the first, originating May 18 from Vultr infrastructure, attackers conducted authentication probes against 8 out of 10 affected customers. The second wave, launched May 21 from Dromatics Systems, escalated—some victims received full VPN IP assignments, granting attackers network-level access equivalent to authenticated users.

Both waves shared distinctive fingerprints: attackers used a spoofed MAC address (aa:bb:cc:dd:ee:ff) and generic machine names (GP-CLIENT, DESKTOP-GP01), indicating a single threat actor. No lateral movement was observed from compromised devices, per Bleeping Computer, though successful exploitation granted full network access through the VPN tunnel.

Palo Alto Networks Unit 42 identified targeted campaigns against high-value organizations in financial services and healthcare, according to Anavem. The sectors align with typical objectives for espionage or ransomware pre-positioning operations, though no follow-on payloads have been publicly confirmed.

Federal pressure and patch velocity

The Cybersecurity and Infrastructure Security Agency added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog on May 29, mandating federal civilian agencies remediate by June 1—today. The 19-day window between disclosure and the federal deadline proved insufficient for many organizations, given the complexity of patching production VPN infrastructure.

Palo Alto Networks released patches for affected versions in the May 13 advisory, but the four-day gap between disclosure and active exploitation underscores the compressed timeline for defensive action. Palo Alto Networks noted that the vulnerability requires a specific misconfiguration—authentication override certificates shared across services—but this setup is common in enterprise deployments where administrators reuse certificates for operational simplicity.

Mitigation and detection

Organizations unable to patch immediately should disable authentication override cookies on GlobalProtect portals and gateways, or ensure override certificates are not shared with other services. Rapid7 published detection rules targeting the characteristic MAC address and machine names used in observed attacks.

The vulnerability does not require exploit code—attackers need only retrieve the public certificate from the HTTPS service and craft a valid authentication override cookie. The Hacker News reported that proof-of-concept code circulated in private channels within days of disclosure, accelerating the exploitation timeline.

What to watch

Expect follow-on campaigns as threat actors weaponize the vulnerability against unpatched deployments. Federal agencies face immediate compliance pressure, but private sector organizations—particularly in financial services and healthcare—remain at elevated risk. Monitor for VPN authentication anomalies, particularly connections lacking corresponding MFA logs. The compressed timeline between disclosure and widespread exploitation establishes CVE-2026-0257 as a litmus test for enterprise patch velocity under active threat conditions.