Rapid7 Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257)
Strategic summary
On May 13, 2026, a medium severity authentication bypass vulnerability (CVE-2026-0257) was disclosed in PAN-OS GlobalProtect, allowing unauthenticated attackers to establish VPN connections when Cloud Authentication Service is disabled and authentication override cookies are enabled. Rapid7 observed successful exploitation starting May 17, 2026, across multiple customers, though no lateral movement was detected from compromised devices. The attacks occurred in two waves, first from hosting provider Vultr and then from Dromatics Systems, with the second wave achieving internal network access via VPN. Organizations are urged to apply patches immediately, as the CVSS score was raised to 7.8 (High) and the vulnerability has been added to CISA KEV.
Key findings
- Authentication bypass CVE-2026-0257 enables unauthenticated VPN access when CAS is disabled and override cookies are enabled.
- Exploitation began on May 17, 2026, and was observed across multiple Rapid7 MDR customers.
- Attacks originated from hosting providers Vultr (first wave) and Dromatics Systems (second wave), with the second wave establishing full VPN tunnels and gaining internal network access.
- No evidence of lateral movement or further compromise was observed after initial VPN connection.
- CVSS score was increased from 4.7 to 7.8 (High), and the vulnerability was added to the CISA Known Exploited Vulnerabilities catalog.
Relevance for you
Rapid7 MDR observed active exploitation of this authentication bypass by multiple attackers against numerous customers; the vulnerability enables unauthenticated remote access to VPN gateways under specific configurations.
Mentioned CVEs
Risk score
- cvss base
- 0.00
- kev bonus
- 0.00
- epss bonus
- 0.00
- poc bonus
- 15.00
- raw before weight
- 15.00
- industry weight
- 1.10
- freshness factor
- 1.00
- days old
- 0.00
- vendor mismatch penalty
- 0.00
Path: operational