Palo Alto Warns of Exploitation of VPN Bypass Exploits (CVE-2026-0257) in PAN-OS Flaw
Palo Alto Warns of Exploitation of VPN Bypass Exploits (CVE-2026-0257) in PAN-OS Flaw
Publish Date: 2026-06-15 07:11:00
Source Domain: securityaffairs.com
Palo Alto Warns of Exploitation of VPN Bypass Exploits (CVE-2026-0257) in PAN-OS Flaw
Pierluigi Paganini
June 15, 2026
Palo Alto Networks warns that attackers are actively exploiting CVE-2026-0257, a PAN-OS flaw that lets unauthorized users bypass authentication and establish VPN connections.
Palo Alto Networks has confirmed active exploitation of CVE-2026-0257, a PAN-OS authentication bypass vulnerability affecting GlobalProtect portals and gateways.
Palo Alto Networks addressed the vulnerability on May 13. Two weeks later, cybersecurity firm Rapid7 confirmed active exploitation across multiple customer environments. In early June, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the flaw CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog.
The flaw affects the GlobalProtect portal and gateway components of Palo Alto Networks PAN-OS, allowing attackers to bypass authentication and establish unauthorized VPN connections. The vulnerabilities do not affect Panorama or Cloud NGFW deployments.
“Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection.” reads the advisory.
If the same certificate is used for both the HTTPS service and the cookie encryption feature, which is a common misconfiguration, an attacker can grab the public key straight from the HTTPS session. Armed with that key, they can craft a cookie for any user, including the local admin account, that the device will accept as legitimate. No credentials required. Rapid7’s Labs team built a proof-of-concept script that demonstrates this in full: retrieve the certificate chain, iterate through each certificate, forge a cookie, test it. The whole attack takes seconds against a vulnerable appliance.
“If we look at…
