Threat actors are actively exploiting a recently patched security flaw in its PAN-OS GlobalProtect software to target corporate networks.
The now fixed vulnerability, tracked as CVE-2026-0257, allows attackers to bypass authentication and establish unauthorized VPN connections on affected devices. In its security advisory Palo Alto Networks said that it “has become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied.”
Security company Rapid7 said it observed exploitation attempts against numerous customers beginning on May 17, 2026. While attackers successfully exploited the flaw in multiple cases, Rapid7 found no evidence that they were able to move deeper into affected networks.
According to researchers, the attacks used forged authentication override cookies to impersonate local administrator accounts. Rapid7 first detected activity from infrastructure hosted by Vultr on May 18, followed by a second wave of attacks originating from Dromatics Systems on May 21.
In some incidents, attackers were able to gain VPN access to internal networks using the forged cookies. However, many attempts failed to establish a full VPN session despite the devices accepting the malicious cookies.
Rapid7 found that affected devices had GlobalProtect authentication override cookies enabled and were configured in a way that allowed attackers to create valid forged cookies. The issue stems from how PAN-OS validates the cookies after decrypting them.
Researchers explained that if the same certificate is used for both HTTPS services and authentication override cookies, attackers can obtain the public key from the HTTPS service and use it to generate forged cookies that the device will trust.
Organizations using PAN-OS GlobalProtect are urged to apply security updates and review their authentication override cookie configurations to reduce the risk of compromise.