Palo Alto PAN-OS GlobalProtect Auth Bypass Now Actively Exploited: Patch Before June 1 Deadline

Palo Alto Networks has confirmed active exploitation of CVE-2026-0257, a GlobalProtect VPN authentication bypass flaw in PAN-OS. CISA added it to the Known Exploited Vulnerabilities catalogue with a June 1 federal remediation deadline. Enterprise teams using GlobalProtect must patch immediately.

Omar Al-Hakeem
Senior Cyber Threat Analyst | MENA Region3 min read
Security analyst reviewing a firewall alert on a network operations centre workstation

Security analyst reviewing a firewall alert on a network operations centre workstation

Palo Alto Networks has issued an urgent warning after confirming that a recently disclosed authentication bypass vulnerability in PAN-OS GlobalProtect has moved from theoretical risk to active exploitation in the wild.

The vulnerability, tracked as CVE-2026-0257 with a CVSS score of 7.8, affects the GlobalProtect portal and gateway components of PAN-OS and Prisma Access. When exploited, it allows an unauthenticated remote attacker to forge authentication override cookies and establish an unauthorised VPN connection, effectively bypassing the security controls that sit at the perimeter of enterprise networks.

Palo Alto Networks first disclosed the flaw on 13 May 2026, rating it at medium severity. On 29 May, the company updated its advisory to confirm it had become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied. That same day, the US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalogue, ordering all US federal civilian agencies to remediate by 1 June 2026.

How the attack works

The vulnerability is triggered under a specific but not uncommon configuration: GlobalProtect portal or gateway must have the authentication override feature enabled, and the certificate used for that feature must be shared with another service, such as the HTTPS interface of the portal or gateway itself. When these conditions are met, an attacker can craft a request that causes the system to process it as an authenticated session.

Independent analysis by Rapid7 confirmed a working proof-of-concept and observed two separate waves of exploitation activity (the second originating from hosting provider Dromatics Systems), suggesting a coordinated effort by a single threat actor. Once inside, attackers gain VPN IP assignment and internal network access, providing a foothold for lateral movement, credential theft, and deeper compromise.

The risk for GCC and MENA enterprises

GlobalProtect is among the most widely deployed VPN and remote access solutions across enterprise environments in the Gulf, particularly in financial services, government, and energy sectors, all of which are operating under heightened threat conditions in 2026.

An attacker who bypasses VPN authentication does not simply gain network access; they inherit the trust level of a legitimate remote employee, making detection considerably harder. Organisations running Palo Alto next-generation firewalls with GlobalProtect configured are advised to treat any exposed portal or gateway as a priority incident review target, not merely a device awaiting an update.

Remediation steps

Palo Alto Networks has released patches for affected PAN-OS versions. The recommended actions are: update to a fixed version immediately; if an immediate upgrade is not possible, either disable the authentication override feature or generate a new certificate exclusively for authentication override, separate from any other service. Admins should also review logs for certificate-authentication anomalies and unexpected VPN IP assignments.

The exploitation of CVE-2026-0257 follows a separate active campaign reported by Arctic Wolf, in which a critical flaw in FortiClient Endpoint Management Server, CVE-2026-35616, is being used to deliver a credential-stealing malware called EKZ Infostealer across managed enterprise endpoints.

The combination of active attacks against two of the most widely used enterprise security platforms underscores the pressure on security operations teams this week.

Omar Al-Hakeem

Senior Cyber Threat Analyst | MENA Region

Omar Al-Hakeem is a cybersecurity researcher specializing in threat intelligence, ransomware trends, and nation-state activity across the Middle East and North Africa. With over 12 years of experience in SOC operations and incident response, he provides deep technical breakdowns of emerging attacks and regional cyber risks. At MENA Cyber Wire, Omar focuses on real-world threat analysis and actionable defense strategies for enterprises and startups.

Intelligence Focus Areas

Threat IntelligenceEnterprise SecurityVulnerability ManagementNetwork SecurityGCC Cybersecurity 2026