HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

Active Exploitation of CVE-2026-0257 Enables Forged GlobalProtect VPN Cookies, Bypassing Authentication Across Multiple Customers

CVE‑2026‑0257 allows attackers to forge GlobalProtect VPN authentication cookies, granting unauthorized VPN access without credentials. Rapid7 confirmed active exploitation in the wild, targeting multiple organizations that use Palo Alto Networks’ GlobalProtect. The flaw poses a significant supply‑chain risk for any third‑party relying on this VPN solution.

LiveThreat™ Intelligence · 📅 June 01, 2026· 📰 securityaffairs.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
5 recommended
📰
Source
securityaffairs.com

CVE-2026-0257: Forged GlobalProtect VPN Cookies Bypass Authentication, Actively Exploited Across Multiple Customers

What It Is – CVE‑2026‑0257 is an authentication‑bypass flaw in the GlobalProtect portal and gateway components of Palo Alto Networks PAN‑OS. By exploiting a mis‑configuration that re‑uses the same certificate for HTTPS and cookie encryption, an attacker can forge valid VPN auth cookies and gain VPN access without credentials.

Exploitability – Rapid7 confirmed active exploitation in the wild on May 17 2026, publishing a PoC that forges cookies in seconds. No public exploit code existed before the Rapid7 disclosure, but the vulnerability is being used by threat actors operating from Vultr and Dromatics Systems.

Affected Products – Palo Alto Networks PAN‑OS (GlobalProtect portal & gateway). Panorama and Cloud NGFW are not affected.

TPRM Impact – Any third‑party that relies on GlobalProtect for remote access (MSPs, SaaS providers, cloud tenants, etc.) faces a supply‑chain risk: compromised VPN tunnels can be used to pivot into internal networks, exfiltrate data, or deploy ransomware.

Recommended Actions

  • Verify that the HTTPS service certificate and the GlobalProtect cookie‑encryption certificate are different; re‑issue if they are shared.
  • Apply Palo Alto Networks’ May 13 2026 patch (or later) to all GlobalProtect appliances.
  • Rotate all VPN‑related certificates and revoke any that were used with the vulnerable configuration.
  • Review VPN logs for anomalous cookie‑based logins, especially from unknown IP ranges or with spoofed MAC addresses.
  • For MSPs, notify all downstream customers of the issue and confirm remediation status.

Source: Security Affairs

📰 Original Source
https://securityaffairs.com/192933/security/cve-2026-0257-rapid7-caught-attackers-abusing-forged-vpn-cookies-against-multiple-customers.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →