U.S. CISA adds Palo Alto Networks PAN-OS flaw to its Known Exploited Vulnerabilities catalog

Pierluigi Paganini
June 01, 2026

U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds Palo Alto Networks PAN-OS flaw to its Known Exploited Vulnerabilities catalog.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added Palo Alto Networks PAN-OS flaw, tracked as CVE-2026-0257 (CVSS score of 7.8), to its Known Exploited Vulnerabilities (KEV) catalog.

Palo Alto Networks addressed the vulnerability CVE-2026-0257 on May 13. Two weeks later, cybersecurity firm Rapid7 confirmed active exploitation across multiple customer environments.

The flaw impacts the GlobalProtect portal and gateway components of Palo Alto Networks PAN-OS and allows attackers to bypass authentication and establish unauthorized VPN connections. The vulnerabilities do not affect Panorama or Cloud NGFW deployments.

“Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection.” reads the advisory.

If the same certificate is used for both the HTTPS service and the cookie encryption feature, which is a common misconfiguration, an attacker can grab the public key straight from the HTTPS session. Armed with that key, they can craft a cookie for any user, including the local admin account, that the device will accept as perfectly legitimate. No credentials required. Rapid7’s Labs team built a proof-of-concept script that demonstrates this in full: retrieve the certificate chain, iterate through each certificate, forge a cookie, test it. The whole attack takes seconds against a vulnerable appliance.

“If we look at the main_DecryptAppAuthCookie function we can begin to see the problem.” reads the report published by Rapid7. “The…

Source

U.S. CISA adds Palo Alto Networks PAN-OS flaw to its Known Exploited Vulnerabilities catalog