🌐 Network

PAN-OS GlobalProtect CVE-2026-0257: Rapid7 Confirms Second Exploitation Wave β€” CISA Adds to KEV

Rapid7 MDR confirmed on 21 May that a second, larger exploitation wave of CVE-2026-0257, an authentication bypass in Palo Alto Networks GlobalProtect VPN, began on 21 May targeting enterprise sectors not covered in the initial wave. CISA added the CVE to the Known Exploited Vulnerabilities catalogue with a 1 June remediation deadline. The vulnerability affects PAN-OS 10.2, 11.1, 11.2, and 12.1 as well as Prisma Access.

4 min read
#palo-alto#pan-os#globalprotect#vpn#cve-2026-0257#authentication-bypass#cisa-kev#exploitation

Rapid7’s Managed Detection and Response (MDR) team published an Emerging Threat Response advisory on 21 May confirming active exploitation of CVE-2026-0257, an authentication bypass in Palo Alto Networks GlobalProtect VPN gateways, across enterprise networks in the Americas and Europe. CISA added the CVE to the Known Exploited Vulnerabilities catalogue on the same day, with a June 1, 2026 remediation deadline for US federal civilian agencies and a strong recommendation for all organisations to patch immediately.

This marks a second exploitation wave distinct from the initial advisory-period exploitation that began when the CVE was originally disclosed. Rapid7’s MDR visibility data indicates this wave is broader in scope, affecting more organisations and targeting sectors β€” including critical infrastructure, manufacturing, and healthcare β€” not prominently observed in the initial exploitation cluster.

Vulnerability Details

CVE-2026-0257 is an authentication bypass in the GlobalProtect VPN gateway component of Palo Alto Networks PAN-OS. The vulnerability exists in the session cookie validation logic β€” an attacker can forge an authentication session cookie to bypass the gateway’s authentication controls without providing valid credentials.

Once authenticated to the GlobalProtect gateway, the attacker can establish a full VPN tunnel with the same access permissions as a legitimate user. Depending on the organisation’s VPN split tunnelling configuration, this provides either partial (split tunnel) or complete (full tunnel) access to the internal network from the attacker’s external position.

Affected versions: PAN-OS 10.2.x (prior to 10.2.8), PAN-OS 11.1.x (prior to 11.1.4), PAN-OS 11.2.x (prior to 11.2.2), PAN-OS 12.1.x (prior to 12.1.1). Prisma Access is affected for organisations using self-managed GlobalProtect gateways; Palo Alto Networks-managed Prisma Access gateways were updated automatically.

Authentication requirement: None β€” the bypass works without any valid credential. Network access to the GlobalProtect gateway (typically port 443) is the only prerequisite.

What the Second Wave Indicates

The gap between the initial exploitation wave (around original advisory publication) and the current second wave is consistent with the typical lifecycle of a high-value VPN authentication bypass vulnerability:

Initial exploitation is typically conducted by the threat actors who had prior knowledge of the vulnerability β€” often the same groups that discovered it independently or obtained it through private broker markets before the CVE was public. These actors prioritise high-value, pre-selected targets.

Secondary exploitation begins when the vulnerability becomes available to a broader set of threat actors β€” through public proof-of-concept code, through dissemination in criminal forums, or through independent researcher reproduction. This wave is typically higher volume but potentially less targeted, with automated scanning for vulnerable endpoints followed by opportunistic exploitation.

Rapid7’s observation that the second wave is broader and affecting different sectors than the first wave is consistent with this model: the automated exploitation tooling has now proliferated beyond the initial users.

Organisations Most at Risk

Palo Alto Networks GlobalProtect is among the most widely deployed enterprise VPN solutions globally. Any organisation using PAN-OS-based GlobalProtect gateways on affected version branches that have not applied the patches is currently exposed to unauthenticated VPN access from internet-based attackers.

Priority organisations for immediate patching: All GlobalProtect gateway environments. There is no configuration-based mitigation β€” the vulnerability is in the authentication logic and cannot be addressed by configuration change. Patching is the only remediation.

Patch and Remediation

Apply the relevant PAN-OS update for the affected branch:

  • PAN-OS 10.2: Update to 10.2.8 or later
  • PAN-OS 11.1: Update to 11.1.4 or later
  • PAN-OS 11.2: Update to 11.2.2 or later
  • PAN-OS 12.1: Update to 12.1.1 or later

For Prisma Access managed gateway customers: confirm with Palo Alto Networks support that the automatic update has applied to your managed gateway. Self-managed Prisma Access gateways require manual PAN-OS updates.

Post-patching investigation: All GlobalProtect gateways on affected versions should be treated as potentially compromised during the exposure window. Review GlobalProtect authentication logs for sessions where authentication events used cookie-based authentication from unusual source IP addresses or at unusual times. Session logs from the exposure window should be retained for forensic investigation.

Share this article