Palo Alto Networks and the Cybersecurity and Infrastructure Security Agency confirmed Monday that CVE-2026-0257, a critical authentication-bypass vulnerability in the GlobalProtect portal and gateway of PAN-OS, is being actively exploited in the wild. The flaw carries a CVSS score of 9.1 and has been added to CISA’s Known Exploited Vulnerabilities catalog with a federal civilian remediation deadline of June 1.

The technical mechanism is unusually clean. PAN-OS firewalls in vulnerable configurations rely on an authentication-override cookie that the system signs and validates. The vulnerability stems from configurations where the same HTTPS certificate used by the GlobalProtect portal is also used to sign the auth-override cookie. In those configurations, an unauthenticated remote attacker can derive the necessary signing material from the publicly-accessible portal certificate, forge an auth-override cookie, and establish a VPN session as a legitimate user. No credentials are required.

The active-exploitation timeline is concerning. Rapid7 telemetry shows the earliest exploitation attempts on May 17, followed by a coordinated first wave on May 18 originating from Vultr infrastructure and targeting local administrator accounts. A second wave on May 21 came from infrastructure attributed to a group Rapid7 is tracking as Dromatics Systems. The targeting in both waves has been opportunistic — internet-facing GlobalProtect deployments rather than specific high-value targets — which is consistent with access-broker behavior rather than nation-state operations.

For enterprise security teams, the operational priority is patching. Palo Alto Networks has released fixed PAN-OS versions across the supported branches. For environments that cannot patch immediately, two mitigations exist: disable the authentication-override feature entirely, or generate and deploy a dedicated certificate for the auth-override signing function that is distinct from the portal’s HTTPS certificate. Both mitigations work but are operationally painful in large-scale deployments.

Cloud NGFW and Panorama deployments are not affected. The vulnerability is specific to on-premises PAN-OS firewalls with the GlobalProtect portal and gateway configured in the vulnerable cookie-sharing setup. Organizations should also assume compromise on any internet-exposed GlobalProtect deployment that was unpatched for more than 24 hours after the May 17 telemetry, and should hunt for the specific indicators of compromise that Rapid7 and Palo Alto’s Unit 42 have published this week.

What to watch over the next two weeks: ransomware affiliate uptake of the exploit, particularly by groups whose playbooks already lean heavily on edge-device VPN authentication bypass. The Volt Typhoon and Akira clusters have both made extensive use of comparable vulnerabilities in prior campaigns, and the pattern argues for fast affiliate adoption of CVE-2026-0257.

Reporting based on Help Net Security, BleepingComputer, Rapid7, and Palo Alto Networks PSIRT advisories.