Attackers exploit Palo Alto GlobalProtect flaw days after disclosure

Source: Attackers exploit Palo Alto GlobalProtect flaw days after disclosure | CSO Online

Author: unknown

URL: https://www.csoonline.com/article/4179847/attackers-exploit-palo-alto-globalprotect-flaw-days-after-disclosure.html

ONE SENTENCE SUMMARY:

Attackers exploit CVE-2026-0257 in Palo Alto GlobalProtect, bypassing authentication via forged cookies, accelerating patch urgency and zero-trust scrutiny.

MAIN POINTS:

1. Active in-the-wild exploitation followed Palo Alto’s initial medium-severity disclosure within days.
2. Rapid7 observed successful VPN access across customers, without confirmed lateral movement.
3. CVE-2026-0257 impacts GlobalProtect remote-access VPN on PAN-OS devices.
4. Exploitation reportedly began May 17, shortly after fixes and mitigations were published.
5. Palo Alto raised CVSS to 7.8, marked “attacked,” and set highest urgency.
6. Vulnerability enables credential-less authentication bypass by forging a trusted cookie.
7. Sessions appear legitimate, complicating detection compared with typical intrusion methods.
8. Root cause: decrypted cookie contents trusted without signature verification.
9. Exposure requires specific configuration: override cookies enabled and shared certificate usage.
10. CISA added it to KEV, ordering rapid remediation for federal agencies.

TAKEAWAYS:

1. Treat auth-bypass flaws on remote-access gateways as critical, regardless of base scoring.
2. Audit GlobalProtect configurations for authentication override cookies and certificate reuse.
3. Patch immediately and apply mitigations; exploitation can start days after disclosure.
4. Strengthen monitoring for suspicious “legitimate” VPN sessions that may be forged.
5. Improve asset visibility and configuration governance to reduce edge-device exposure during zero-trust transitions.