CVE-2026-0257 in Palo Alto PAN-OS: Two Documented Attack Waves, Confirmed Internal Network Access and the CISA Deadline Expired Yesterday

The remediation deadline CISA set for US federal agencies for CVE-2026-0257 expired yesterday, 1 June. For Spanish organisations with Palo Alto PAN-OS firewalls and GlobalProtect exposed, the urgency is the same. Rapid7 MDR documented two waves of active exploitation of this authentication bypass vulnerability — the first on 17 May and the second on 21 May, likely from the same actor — confirming that attackers exploiting CVE-2026-0257 do not just establish an unauthorised VPN connection: they obtain direct access to the organisation’s internal network. It is the second critical GlobalProtect CVE actively exploited in under a month. The first, CVE-2026-0300 (root RCE), we analysed here on 7 May.

‍

What do we know about CVE-2026-0257 and the two exploitation waves?

Facts documented by Palo Alto Networks, Rapid7 MDR, CISA, BleepingComputer, The Hacker News, Gridinsoft and RedLegg:

• Vulnerability: authentication bypass (CWE-565: Reliance on Cookies without Validation and Integrity Checking) in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS. An unauthenticated remote attacker can bypass security restrictions and establish an unauthorised VPN connection to the network protected by the firewall.
• CVSS 7.8 (High) — treat as critical: Rapid7 explicitly urges treating this CVE as critical regardless of the score. Once the unauthorised VPN connection is established, the attacker is inside the corporate network with apparently legitimate access.
• Exploitability condition: affects firewalls with GlobalProtect portal or gateway configured + authentication override cookies enabled + a specific certificate configuration. Panorama and Cloud NGFW are not affected.
• Initial advisory: 13 May 2026 (Palo Alto Networks).
• First exploitation wave: Rapid7 MDR detected successful exploitation across multiple customers with the earliest date on 17 May, four days after the advisory. Attackers obtained VPN IP assignment, giving them internal network access.
• Second wave: on 21 May Rapid7 documented a second exploitation wave. The same MAC address suggests the same actor. The second wave originated from hosting provider Dromatics Systems.
• Confirmed post-exploitation: in cases analysed by Rapid7, attackers obtained VPN IP assignment and internal network access. No lateral movement was observed in detected cases — but internal network access already constitutes a complete perimeter breach.
• Chaining with RCE zero-day: researchers confirm CVE-2026-0257 is being chained with an additional zero-day to achieve remote code execution, elevating the real risk beyond CVSS 7.8.
• CISA KEV: added 29 May 2026. Federal agency remediation deadline: 1 June 2026 — yesterday.
• Unpatched versions: PAN-OS 9.0, 9.1 and 10.0 are vulnerable but will not receive a patch as they are EOL. Organisations on these versions must migrate to a supported branch immediately.
• Documented IoCs: unusual HTTP POST requests to /global-protect/portal/login.esp with abnormally long saml-response parameters in firewall logs.

‍

Why GlobalProtect is a recurring first-order target

CVE-2026-0257 is the second critical GlobalProtect CVE actively exploited in under a month — the previous was CVE-2026-0300 (root RCE), which we analysed on 7 May. Four factors explain why GlobalProtect is a permanent target:

1. GlobalProtect is the corporate network’s entry point. An authentication bypass in GlobalProtect does not compromise a peripheral server: it compromises the access control separating the internet from the internal network. With an unauthorised VPN session established, the attacker is inside with traffic that appears legitimate to internal controls that trust the VPN.
2. Edge devices are patched more slowly than servers. Firewalls and VPN appliances require planned maintenance windows, network team coordination and connectivity impact testing. The 2026 DBIR we analysed last week confirmed the median patching time is 43 days. CVE-2026-0257 was first exploited four days after the advisory.
3. Many organisations have GlobalProtect directly internet-facing. That is its intended use — it is the corporate remote access endpoint. That legitimate exposure automatically makes it a priority attack surface for any actor seeking initial access to corporate networks.
4. The history of critical PAN-OS CVEs is systematic. ProxyShell for Exchange, Log4Shell for Java apps, and now a sequence of critical PAN-OS CVEs. Attackers invest in exploiting security devices because they are the maximum-leverage entry point.

‍

How this attack works: from bypass to unauthorised VPN access

1. Identifying vulnerable instances. The attacker identifies Palo Alto firewalls with GlobalProtect internet-exposed in the vulnerable configuration (portal or gateway with authentication override cookies enabled). The /global-protect/portal/login.esp endpoint is publicly accessible in these configurations.
2. Authentication bypass exploitation. Abusing CWE-565 (trust in cookies without integrity validation), the attacker manipulates GlobalProtect portal authentication. The authentication override cookie mechanism implicitly assumes cookie value integrity, and CVE-2026-0257 exploits the absence of correct validation of those values.
3. Establishing the unauthorised VPN session. With a successful bypass, the system assigns the attacker a VPN IP and grants internal network access. The connection appears as legitimate VPN traffic from the perspective of internal monitoring systems.
4. Accessing internal resources. With the VPN IP assigned, the attacker has network access to the internal resources GlobalProtect was protecting: internal servers, Active Directory, databases, shared file systems.
5. Chaining with RCE zero-day (in advanced attacks). Researchers document that some actors chain CVE-2026-0257 with an additional RCE zero-day to achieve code execution on the firewall itself.

‍

Key lessons and mitigation checklist: what your team must do right now

Step 1 — Verify exposure (immediate):

• Confirm whether the environment has GlobalProtect portal or gateway configured.
• Check whether authentication override cookies are enabled. If enabled and the certificate configuration matches, the system is vulnerable until patched.
• Check the PAN-OS version. If 9.0, 9.1 or 10.0: no patch exists — migrating to a supported version is the only option.

Step 2 — Patching (priority action):

• Update to the PAN-OS version fixing CVE-2026-0257. Consult the official Palo Alto Networks advisory for the exact versions per branch.
• Disabling SAML is not sufficient if hybrid mode is in use. The only reliable mitigation is to update.

Step 3 — Temporary mitigation (if immediate patching is not possible):

• Option A: disable the Authentication Override feature on the GlobalProtect portal and gateway if not operationally required.
• Option B: generate a new certificate exclusively for the authentication override cookies function, isolating the exploitation vector.
• Additional: restrict access to the GlobalProtect portal to trusted IP ranges via upstream ACLs where operations allow. This is a surface-reduction measure, not a complete mitigation.
• Require client certificates in addition to user credentials for GlobalProtect authentication.

Step 4 — Forensic investigation (mandatory if the system may have been exposed since 17 May):

• Hunt for Rapid7’s documented IoCs: HTTP POST requests to /global-protect/portal/login.esp with abnormally long saml-response parameters in firewall logs.
• Review VPN connection logs from 17 May onwards for authenticated VPN sessions from unknown IPs or at unusual times.
• Check for lateral traffic from VPN pool IPs to internal systems that does not correspond to legitimate users.
• Analyse the firewall’s tech support files (available from PAN-OS). Rapid7 used these to confirm exploitation in their customers.

‍

Cybersecurity as a strategic priority

CVE-2026-0257 arrives precisely when the 2026 DBIR — analysed here last week — confirmed that vulnerability exploitation has overtaken credential theft as the #1 initial access vector. Edge devices — firewalls, VPN appliances, remote access gateways — are the priority target of this paradigm shift because they combine direct internet exposure, high implicit trust in the accesses they manage, and slow patching cycles. Two exploitation waves in four days, confirmed internal network access, and an RCE zero-day chained: for Spanish organisations with GlobalProtect, the response window has already closed for those who have not acted. For those who have not yet verified, the window is still open — but not for long.

‍

Apolo Cybersecurity: Palo Alto firewall and VPN appliance assessment and protection

At Apolo Cybersecurity we help organisations running Palo Alto PAN-OS verify exposure to CVE-2026-0257 and CVE-2026-0300, apply the correct mitigations while patching is planned, review GlobalProtect forensic logs for prior exploitation since 17 May, audit authentication override cookie and certificate configurations, and establish migration plans for EOL PAN-OS versions that will not receive patches.

If your organisation has GlobalProtect internet-facing and you have no confirmation that the system has been patched or mitigated against CVE-2026-0257, this Tuesday morning is the time to verify it.

‍