thehackernews.com via Reddit

Palo Alto GlobalProtect bypass hits CISA watchlist

cybersecurity cybersecurity

Key insights

  • CVE-2026-0257 lets unauthenticated attackers forge GlobalProtect VPN cookies and establish unauthorized sessions on affected Palo Alto firewalls.
  • Active exploitation began May 17 from Vultr-hosted infrastructure targeting local admin accounts across multiple enterprise environments.
  • U.S. federal civilian agencies must patch PAN-OS 10.2 through 12.1 by June 19 under CISA's Known Exploited Vulnerabilities mandate.

Why this matters

Palo Alto GlobalProtect is deployed at scale across enterprise and government networks, meaning this unauthenticated bypass carries an attack surface that spans hundreds of organizations simultaneously. Rapid7's confirmation that attacks began May 17, twelve days before CISA's May 29 KEV listing, demonstrates a recurring pattern where federal action lags active exploitation by nearly two weeks. AI infrastructure teams running remote access through GlobalProtect gateways should treat this as a concrete reminder that VPN gateway compromise is a preferred initial access vector, and perimeter-focused defenses do not detect cookie forgery at session establishment.

Summary

Palo Alto Networks' GlobalProtect VPN gateway has an unauthenticated bypass that lets attackers forge session cookies and gain network access without credentials. Rapid7 confirmed active exploitation starting May 17 via Vultr-hosted IPs targeting enterprise local admin accounts. CISA added CVE-2026-0257 to its KEV catalog on May 29. Affected versions: PAN-OS 10.2 through 12.1. Federal civilian agencies must patch by June 19. Essentially: (Palo Alto Networks, CISA) are 12 days behind active exploitation as of the KEV listing date. - Cookie forgery grants full VPN sessions on GlobalProtect firewalls with no credentials required. - Only federal agencies face a mandated June 19 deadline; private-sector organizations have no equivalent. - Rapid7 traced the first wave to Vultr infrastructure targeting local admin accounts. The gap between May 17 exploitation and May 29 federal action is where real enterprise damage was done.

Potential risks and opportunities

Risks

  • Federal civilian agencies that miss the June 19 patch deadline face mandatory FISMA incident reporting and potential Inspector General findings, particularly those with GlobalProtect in classified-adjacent network segments.
  • Enterprises compromised in the May 17 to May 29 window face retroactive compliance exposure under PCI-DSS, HIPAA, and SOC 2 frameworks if GlobalProtect was a required compensating control.
  • Palo Alto Networks faces accelerated customer review cycles favoring Zscaler and Netskope within 60 to 90 days if additional unauthenticated bypass vulnerabilities surface in GlobalProtect.

Opportunities

  • Zero-trust access vendors (Zscaler, Cloudflare Access, Netskope) gain direct sales leverage at Palo Alto GlobalProtect accounts currently in active incident response.
  • Vulnerability management platforms (Tenable, Rapid7, Qualys) can close deals using KEV-specific alerting workflows with this incident as a live board-level ROI case study.
  • Incident response firms (Mandiant, CrowdStrike Services, Arctic Wolf) are positioned for forensics and remediation engagements at enterprises that have not verified whether they were hit in the May 17 to May 29 window.

What we don't know yet

  • Attribution behind the May 17 attack wave: Rapid7 identified Vultr-hosted infrastructure but no threat actor or nation-state link has been publicly confirmed as of May 29.
  • Whether Palo Alto has identified additional flaws in the GlobalProtect authentication flow adjacent to CVE-2026-0257, and whether patches are available for all affected PAN-OS versions as of June 1.
  • Scope of confirmed enterprise compromise: no public count of affected organizations or evidence of data exfiltration disclosed by Palo Alto or CISA as of May 29.

Originally reported by thehackernews.com

Read the original article →

Original headline: CISA Adds Palo Alto PAN-OS GlobalProtect Authentication Bypass CVE-2026-0257 to KEV — Unauthenticated VPN Cookie Forgery Under Active Exploitation, Federal Patch Deadline June 19