A Palo Alto Networks vulnerability that allows attackers to establish unauthorized VPN access into corporate networks is being actively exploited in the wild, weeks after the company disclosed the flaw as a medium-severity issue and said it was unaware of any attacks.
However, according to Rapid7, threat actors began exploiting the bug within days of disclosure.
“Rapid7 MDR identified successful exploitation across numerous customers, however we did not observe any indication of successful lateral movement from the devices,” the firm said in its analysis. The attackers reached the network but were not seen pushing deeper in the cases Rapid7 investigated, it said.
The flaw, tracked as CVE-2026-0257, affects GlobalProtect, Palo Alto’s remote-access VPN platform. Rapid7 said attackers began exploiting it as early as May 17, four days after Palo Alto published fixes and mitigation guidance.
The development marks a significant escalation from Palo Alto’s initial May 13 advisory, which rated the flaw medium severity and stated that the company was not aware of malicious exploitation at the time.
By May 29, Palo Alto had updated its advisory, increasing the vulnerability’s CVSS score to 7.8, marking exploit maturity as “attacked,” assigning its highest urgency rating.
“Palo Alto Networks has become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied,” the company said in the update.
Exploitation emerges quickly
While the flaw does not provide remote code execution on the firewall itself, Rapid7 urged organizations to treat it as more serious than its assigned severity score might suggest.
“While the assigned CVSSv4 score indicates a medium severity, due to the circumstances surrounding this vulnerability, Rapid7 urges that organizations treat this as a critical vulnerability,” the company said.
Sunil Varkey, advisor at Beagle Security, said the vulnerability is particularly concerning because it enables what he described as a “fully credential-less authentication bypass.”
“Attackers can create a forged cookie using the publicly available public key and directly establish a VPN session without any malware, phishing, or stolen credentials,” Varkey said.
Because the resulting session appears legitimate, such activity can be significantly harder to detect than many traditional intrusion techniques, he added.
While remote code execution flaws often attract the highest severity ratings, authentication bypass vulnerabilities affecting remote-access infrastructure can create comparable enterprise risk, according to Sakshi Grover, senior research manager for cybersecurity services at IDC Asia/Pacific.
“In a modern zero-trust model, identity is the new perimeter,” Grover said. “A vulnerability that grants unauthorized authenticated access effectively compromises that perimeter, even without executing code on the underlying device.”
The enterprise risk, she added, is less about what the vulnerability does directly than what access it enables afterward, including lateral movement, credential harvesting, and persistence under the cover of what appears to be a legitimate session.
What caused the flaw
The flaw lies in how PAN-OS handles authentication override cookies, Rapid7 said in the disclosure. The gateway decrypts a cookie with a private key, then trusts its contents without checking a signature.
The cookie is a convenience feature, Varkey said.
“Many organizations enabled authentication override cookies for a simple reason: improving user experience,” he said. “And now it needs to be re-examined seriously.”
The bug bites only under one configuration, Rapid7 added. The cookies must be enabled, and the certificate that protects them must also serve another function, such as the gateway’s HTTPS interface. An attacker can then recover the public key and forge a valid cookie. The feature is off by default, but teams that switched it on years ago may not know they are exposed.
That points to a wider lesson, Grover said. Risk often comes not from a flaw itself, but from how technology is configured and maintained over time, she said.
Patch pressure grows
The urgency surrounding the flaw increased further after the US Cybersecurity and Infrastructure Security Agency added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog on May 29 and directed federal civilian agencies to remediate the issue by June 1.
Rapid7 said organizations should review affected GlobalProtect deployments, verify whether vulnerable configurations are present, and apply available fixes as soon as possible.
The incident also highlights a broader challenge for organizations pursuing zero-trust architectures.
“Zero trust has not eliminated the perimeter; it has redistributed it,” Grover said. “Identity providers, VPN gateways, remote-access portals, SASE edges, and cloud access services have become the new control points attackers target.”
Organizations continue to invest heavily in network security and zero-trust initiatives, she said, but legacy VPN infrastructure often remains deeply embedded in enterprise environments, creating a transition period that attackers are exploiting faster than many organizations can modernize.
“This incident reinforces a hard truth: despite years of zero-trust discussions, perimeter security remains fragile when convenience overrides careful architecture,” he said.
For CISOs, the lesson extends beyond patching. “The recurring pattern of edge-device exploitation is rarely the result of a missing security product,” Grover said. “More often, it reflects gaps in asset visibility, configuration governance, patch prioritization, and architectural modernization.”