RSS

Palo Alto VPN bug graduates from advisory to active exploitation

Bender1 pts0 comments

Palo Alto VPN bug graduates from advisory to active exploitation

Jump to main content

Search

REG AD

Cyber-crime

Palo Alto VPN bug graduates from advisory to active exploitation

Rapid7: Attackers exploit authentication bypass flaw in the wild, meaning more emergency patching for PAN-OS users

Carly Page

Carly<br>Page

Published<br>mon 1 Jun 2026 // 13:15 UTC

Palo Alto customers are being been told to patch yet another internet-facing security flaw after researchers caught attackers bypassing GlobalProtect authentication and gaining unauthorized VPN access.<br>The flaw, tracked as CVE-2026-0257, affects PAN-OS deployments using GlobalProtect authentication override cookies under specific configurations.<br>Palo Alto disclosed the bug on May 13 and initially assigned it a medium-severity rating, saying it was aware of attempts to exploit it but had not observed any malicious exploitation.

REG AD

That assessment has not aged well.

REG AD

Security boffins at Rapid7 said they observed successful exploitation across multiple customer environments dating back to at least May 17 and validated the attack technique using its own proof-of-concept testing. Attackers established unauthorized VPN sessions on vulnerable systems, potentially granting access to internal corporate networks without legitimate credentials, it added.<br>Rapid7's analysis suggests the flaw comes down to how PAN-OS trusts authentication override cookies. In certain deployments, hackers can create their own cookies and have the firewall accept them as legitimate. The risk is highest where the same certificate is used for both HTTPS services and authentication override cookies, giving the baddies access to the information needed to generate convincing fakes.

MORE CONTEXT

Dutch cops wrest 17M devices from mystery botnet's clutches

Disgruntled 0-day hunter 'humiliated' by Microsoft pledges 'bone shattering drop' as Redmond calls cops

ChatGPT blindly trusts browser content, turning the page into a payload

State-backed hackers hammer Palo Alto firewall zero-day before patch lands

Rapid7 said it observed multiple waves of activity targeting vulnerable devices. In some cases, cybercrims successfully obtained VPN IP addresses and network access, but the company said it didn’t observe evidence of successful lateral movement following initial access in the incidents it investigated.<br>The flaw has now landed in CISA's Known Exploited Vulnerabilities catalog, with federal agencies given until June 1 to patch or otherwise secure affected systems. Palo Alto has also revised its advisory, elevating the severity rating and attaching its highest urgency label. Fixes are available for supported releases.<br>"Palo Alto Networks has become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied," the firm said in an update.<br>The latest PAN-OS headache arrives less than a month after another Palo Alto emergency. In May, state-backed attackers were found exploiting CVE-2026-0300, a critical remote code execution flaw in the PAN-OS User-ID Authentication Portal, before patches became widely available.<br>Organizations running vulnerable GlobalProtect gateways now face a familiar choice: patch quickly or find out whether someone else gets there first.®

palo alto<br>globalprotect<br>authentication bypass<br>cyber-crime<br>pan-os<br>security

REG AD

SPONSORED LINKS<br>Building the New Trust Architecture for AI - June 4, 10am PT

AI + ML

Anthropic, now atop the AI bubble, files for its IPO

First it tops OpenAI's valuation, then it beats Altman to the IPO punch

Systems

US firms still dominate chip subsidies

China's support is greater relative to semiconductor industry revenue

PARTNER CONTENT

AI and data sovereignty in Postgres: An answer to the datacenter energy crisis

A billion AI agents walk into a power grid

DevOps

Agentic AI arrives for Delphi and C++ Builder

Kai is an extension for RAD Studio (Delphi and C++ Builder) that integrates with external AI providers

SaaS

AWS reportedly to tuck Elon Musk's Grok into Bedrock, despite zero enterprise demand

The energy drink of frontier models

On-Prem

Ohio hits pause on datacenter tax breaks draining its coffers

Buckeye State found it had inadvertently joined the billion dollar losers' club

MOST POPULAR

AI + ML

Netflix wiz creates app to slash AI bills, then open sources it

AI + ML

Google has seriously leaned into AI enshittification lately

Security

Disgruntled 0-day hunter 'humiliated' by Microsoft pledges 'bone shattering drop' as Redmond calls cops

Security

Anthropic to release Mythos-class models to the public

Security

Troops’ phones gave away location data to foreign adversaries

EVENTS

Overcoming the trade-offs in data sovereignty

What does data sovereignty actually mean for your network, which trade-offs are unavoidable? Learn more.

From Prompt to Exploit: How LLMs Are Changing API Attacks

Modern applications are API-driven, interconnected, and often over-permissioned, making...

palo alto authentication flaw security from

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.