Palo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks
Recorded: May 30, 2026, 6:03 p.m.
| Original | Summarized |
Palo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks News Featured California AG sues 23andMe over 2023 breach exposing health data US charges Google security engineer with Polymarket insider trading Charter Communications data breach affects 4.9 million accounts GreyVibe hackers use ChatGPT, Gemini to power cyberattacks New CIFSwitch Linux flaw gives root on multiple distributions One more day to grab AdGuard’s VPN + ad blocker package for just $40 ChatGPT share links abused to host fake outage pages to deliver malware California AG sues 23andMe over 2023 breach exposing health data Tutorials Latest How to access the Dark Web using the Tor Browser How to enable Kernel-mode Hardware-enforced Stack Protection in Windows 11 How to use the Windows Registry Editor How to backup and restore the Windows Registry How to start Windows in Safe Mode How to remove a Trojan, Virus, Worm, or other Malware How to show hidden files in Windows 7 How to see hidden files in Windows Webinars Latest Qualys BrowserCheck STOPDecrypter AuroraDecrypter FilesLockerDecrypter AdwCleaner ComboFix RKill Junkware Removal Tool Deals Categories eLearning IT Certification Courses Gear + Gadgets Security VPNs Popular Best VPNs How to change IP address Access the dark web safely Best VPN for YouTube Forums Virus Removal Guides HomeNewsSecurityPalo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks Palo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks By Lawrence Abrams May 30, 2026 Palo Alto Networks is warning that hackers are now exploiting a PAN-OS GlobalProtect authentication bypass flaw, tracked as CVE-2026-0257, in attacks attempting to breach corporate networks. The Validation Gap: Automated Pentesting Answers One Question. You Need Six. Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.This guide covers the 6 surfaces you actually need to validate. Related Articles: Actively Exploited Lawrence Abrams Previous Article Post a Comment Community Rules You need to login in order to post a comment Not a member yet? Register Now You may also like: Upcoming Webinar Popular Stories ChatGPT share links abused to host fake outage pages to deliver malware Anthropic confirms Claude Mythos-class models will roll out to the public Windows 11 KB5089573 update released with performance improvements Sponsor Posts 33% Rise in Healthcare Credential Theft in 2025: What you need to know Overdue a password health-check? Audit your Active Directory for free #1 MSP Benchmark report 2026: Insights from 1,000+ MSPs on growth, security, artificial intelligence, and key 2026 trends. AI is a data-breach time bomb: Read the new report Upcoming Webinar Follow us: Main Sections News Community Forums Useful Resources Welcome Guide Company About BleepingComputer Terms of Use - Privacy Policy - Ethics Statement - Affiliate Disclosure Copyright @ 2003 - 2026 Bleeping Computer® LLC - All Rights Reserved Login Username Password Remember Me Sign in anonymously Sign in with Twitter Not a member yet? Register Now Help us understand the problem. What is going on with this comment? Spam Abusive or Harmful Inappropriate content Strong language Other Read our posting guidelinese to learn what content is prohibited. Submitting... |
Palo Alto Networks has issued a warning regarding an authentication bypass flaw, tracked as CVE-2026-0257, affecting the PAN-OS GlobalProtect feature, which is currently being exploited in attacks aimed at breaching corporate networks. The vulnerability allows an attacker to bypass existing security restrictions and establish unauthorized Virtual Private Network connections through the GlobalProtect portal and gateway. Although the flaw was initially rated as Medium severity because it required specific configurations regarding authentication override cookies and certificate settings, Palo Alto Networks subsequently escalated the advisory to High severity after determining that the vulnerability was actively being exploited against unpatched devices. Rapid7 observed successful exploitation attempts across numerous customer environments, with the earliest reported exploitation detected on May 17, 2026. The attacks involved hackers successfully authenticating to the GlobalProtect gateways by using forged authentication override cookies that targeted the local administrator account. While investigations indicated that in many instances the appliance accepted the forged cookie, attackers were often unable to establish a full VPN session, the potential for unauthorized access was clearly demonstrated. The research indicates that the flaw originates from PAN-OS's handling of authentication override cookies; specifically, the device decrypts these cookies using a configured private key and trusts the decrypted contents without performing necessary signature verification. A critical aspect of the flaw is the potential for certificate reuse: if the same certificate is used for both HTTPS services and authentication override cookies, attackers can leverage the HTTPS session to obtain the corresponding public key, which they then use to create forged cookies that the device will accept as legitimate credentials. Researchers developed a proof-of-concept exploit demonstrating this mechanism. This exploit illustrates how an attacker can retrieve public certificates exposed by a GlobalProtect portal or gateway, generate forged authentication override cookies for any arbitrary user, and successfully authenticate to an unpatched gateway without possessing valid credentials. This finding highlights a fundamental weakness in the trust model regarding these cookies. Consequently, organizations utilizing GlobalProtect VPN devices are strongly advised to immediately apply the latest security updates to patch these flaws. Furthermore, administrators can implement mitigations by either disabling the authentication override feature entirely or by configuring the system to utilize a different certificate, ensuring that certificates used for authentication override are not shared across other services on the device. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerability catalog, mandating that federal agencies mitigate the flaw by June 1, 2026. |