Skip to content
Auto-CTI
Back to all deep dives
RAPID7 CYBERSECURITY BLOG

Rapid7 Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257)

HIGH CVE-2026-0257 PAN-OS GlobalProtect active-exploitation
Rapid7 Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257)

Strategic summary

On May 13, 2026, a medium severity authentication bypass vulnerability (CVE-2026-0257) was disclosed in PAN-OS GlobalProtect, allowing unauthenticated attackers to establish VPN connections when Cloud Authentication Service is disabled and authentication override cookies are enabled. Rapid7 observed successful exploitation starting May 17, 2026, across multiple customers, though no lateral movement was detected from compromised devices. The attacks occurred in two waves, first from hosting provider Vultr and then from Dromatics Systems, with the second wave achieving internal network access via VPN. Organizations are urged to apply patches immediately, as the CVSS score was raised to 7.8 (High) and the vulnerability has been added to CISA KEV.

Key findings

  • Authentication bypass CVE-2026-0257 enables unauthenticated VPN access when CAS is disabled and override cookies are enabled.
  • Exploitation began on May 17, 2026, and was observed across multiple Rapid7 MDR customers.
  • Attacks originated from hosting providers Vultr (first wave) and Dromatics Systems (second wave), with the second wave establishing full VPN tunnels and gaining internal network access.
  • No evidence of lateral movement or further compromise was observed after initial VPN connection.
  • CVSS score was increased from 4.7 to 7.8 (High), and the vulnerability was added to the CISA Known Exploited Vulnerabilities catalog.

Relevance for you

Rapid7 MDR observed active exploitation of this authentication bypass by multiple attackers against numerous customers; the vulnerability enables unauthenticated remote access to VPN gateways under specific configurations.

Mentioned CVEs

Risk score

20
cvss base
0.00
kev bonus
0.00
epss bonus
0.00
poc bonus
15.00
raw before weight
15.00
industry weight
1.10
freshness factor
1.00
days old
0.00
vendor mismatch penalty
0.00

Path: operational

ESC