CVE-2026-0257: Forged GlobalProtect Cookies Drop Attackers Inside Enterprise VPNs as CISA Deadline Hits Today

On May 17, 2026, Rapid7 began observing real attacks against the GlobalProtect portal and gateway in Palo Alto Networks PAN-OS, exploiting an authentication bypass that lets a remote and unauthenticated attacker forge an authentication override cookie and walk into a VPN tunnel without ever supplying a credential. The flaw is tracked as CVE-2026-0257, carries a CVSS base score of 7.8, and only triggers when the customer has the authentication override feature enabled and the certificate used by that feature is also bound to another PAN-OS service such as the HTTPS management portal (Palo Alto Networks PSIRT, Rapid7). When those conditions line up, a forged cookie is accepted as if it came from a legitimate session, and in a second wave of activity on May 21 some victims received full VPN IP assignments, which means the attacker landed on the internal network with a routable address (BleepingComputer).

CISA added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog on May 29, 2026 and set a mandatory remediation deadline of June 1, today, for federal civilian executive branch agencies (CISA KEV). The affected releases per the vendor advisory are PAN-OS 10.2.0 through 10.2.9, 11.0.0 through 11.0.4, and 11.1.0 through 11.1.2, with fixes shipped in 10.2.10, 11.0.5, and 11.1.3 and later, plus 10.2.18-h6, 11.1.15, 11.2.12, and 12.1.4-h6 or 12.1.7 on the longer support tracks (Palo Alto Networks PSIRT). The first wave of exploitation came from Vultr-hosted infrastructure and the May 21 wave was attributed to Dromatics Systems addresses, which tells you that more than one operator is already working off the same primitive (Rapid7).

Why this class of risk slips past your program

On paper CVE-2026-0257 looks like a 7.8 with a precondition, which is exactly the shape of finding that most programs deprioritize while they chase the 9.8 of the week. The trouble is that the precondition is depressingly common in real deployments, because authentication override is a feature operators turn on so that an internal single sign on portal can hand a user a cookie that GlobalProtect will honor, and the certificate is frequently shared with the HTTPS management portal because that is what the original deployment guide showed years ago. The CVSS vector treats that as a configuration choice the defender controls today rather than one that operators made years ago and never revisited, which means the actual exposed population is much wider than the headline score suggests.

Perimeter VPN appliances also sit outside the comfortable end of most patch programs. Network engineering owns them, the security team triages CVEs across the org chart, and remediation usually means a maintenance window that competes with every other change request, so it is normal to find a fleet of edge devices running a quarter or more behind on firmware. That is precisely the surface that ransomware affiliates and initial access brokers prefer, since a single working exploit against a VPN concentrator hands the attacker an interactive foothold rather than another laptop in a sandbox, and the Rapid7 telemetry showing victims receiving real VPN IP assignments is the loudest possible signal that the rest of the kill chain is already a question of internal reconnaissance rather than external exploitation (Rapid7).

Prioritizing with TRIS

Raw CVSS would file CVE-2026-0257 below several CVSS 9 candidates that nobody is actually exploiting this week, which is the standard failure mode TRIS, the multi-layer Threat and Risk Intelligence Scoring inside CVEasy AI, was built to correct. TRIS weighs the signals that decide whether a finding is genuinely urgent in your environment:

• Active exploitation. This CVE is confirmed in the wild by an independent research team, was added to the CISA KEV catalog with a binding federal deadline of today, and shows two distinct waves of activity from separate hosting providers, so TRIS pushes the alert to the top regardless of the 7.8 base score (Rapid7, CISA KEV).
• Blast radius. The vulnerable surface is a remote-access VPN concentrator, so a successful exploit issues the attacker an internal IP and a route into whatever the tunnel can reach, which on most networks includes file shares, identity infrastructure, and east-west paths into business systems, so TRIS treats this as a network wide exposure rather than a single appliance issue.
• Real exposure. TRIS narrows the alert to the PAN-OS devices you actually run on the affected builds with authentication override enabled and a shared certificate, so the page that fires for the on call engineer is the short list of devices that match every precondition rather than a generic vendor blast.

The product of those three layers is a defensible ranking of which GlobalProtect cluster you touch first, which you schedule next, and which you can leave for the regular maintenance window because the preconditions do not apply.

Remediation steps

1. Upgrade affected gateways to PAN-OS 10.2.10, 11.0.5, or 11.1.3 or later. Customers on the longer support branches should move to 10.2.18-h6, 11.1.15, 11.2.12, or 12.1.4-h6 or 12.1.7 depending on the track they already follow (Palo Alto Networks PSIRT).
2. If patching has to wait for a change window, disable the authentication override feature on the affected GlobalProtect portal or gateway, or rotate the certificate so it is no longer shared with any other PAN-OS service such as the HTTPS management portal, because either change breaks the precondition the exploit needs.
3. Audit GlobalProtect authentication logs for cookie based authentications from unexpected source IP addresses, using the Vultr and Dromatics Systems ranges named by Rapid7 as a starting point rather than a complete list (Rapid7).
4. Pull the active session table on the appliance, force a re-authentication across the GlobalProtect tunnels, and revoke any session tokens that look anomalous, because a successful exploit leaves the attacker holding a valid session as far as the box is concerned, so a forced rotation is what actually evicts them.
5. For federal civilian agencies the CISA KEV due date of June 1 is binding, and for everyone else it is the cleanest executive cover you will get this quarter for taking a short maintenance window today (CISA KEV).

How CVEasy AI surfaces this

When a network appliance auth bypass with confirmed exploitation lands in NVD and KEV at the same time, CVEasy AI ingests the vendor advisory, the KEV entry, and the researcher write-ups within minutes and runs them through TRIS against the inventory that lives entirely on your own hardware. The platform answers the question that matters in the first hour, which is which of your GlobalProtect appliances are running an affected build with authentication override enabled and a shared certificate, and it answers it without your asset list, your appliance versions, or your maintenance schedule ever leaving the local network. As the number one local-first CTEM platform, CVEasy AI keeps the sensitive picture of where your VPN concentrators sit and how they are configured on your side of the wire, which matters more than usual when the incident is an attacker reaching for those exact devices, and puts the alert at the top of the queue with the rotation and upgrade checklist already attached.

References

• Palo Alto Networks PSIRT: CVE-2026-0257 advisory
• Rapid7: Observed exploitation of the PAN-OS GlobalProtect authentication bypass
• BleepingComputer: Palo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks
• CISA Known Exploited Vulnerabilities catalog
• threat-modeling.com: Palo Alto PAN-OS GlobalProtect auth bypass write-up