Rapid7’s managed detection and response team has confirmed active exploitation of the PAN-OS GlobalProtect authentication bypass across numerous customer environments, with VPN tunnels successfully established in the majority of targeted organizations.
In a threat advisory published following detection of two exploitation waves, Rapid7 confirmed that attackers successfully exploited CVE-2026-0257 in 8 out of 10 impacted MDR customers where VPN tunnel establishment was attempted. The first wave began May 17, originating from Vultr hosting infrastructure. A second wave followed on May 21, believed to be the same threat actor based on consistent MAC address patterns.
The attack chain observed by Rapid7 follows a consistent pattern: forged authentication override cookies are presented to GlobalProtect portals, which authenticate to local admin accounts. Successful authentication triggers VPN IP assignment, granting internal network access. POST requests to /ssl-vpn/hipreport.esp and /ssl-vpn/getconfig.esp establish the secure tunnel.
Notably, Rapid7 reported no confirmed lateral movement from compromised devices. This suggests either early-stage reconnaissance or that detection occurred before attackers could advance beyond initial access. However, organizations that remained unpatched between May 13 and their remediation date should assume potential compromise and audit for unauthorized VPN sessions consistent with the authentication bypass pattern.
Source: Rapid7 Emergent Threat Response