Palo Alto Networks ระบุช่องโหว่ PAN-OS GlobalProtect กำลังถูกใช้โจมตีอย่างต่อเนื่อง
Active attacks against enterprise VPNs
Palo Alto Networks is warning that attackers are actively exploiting a PAN-OS GlobalProtect authentication bypass vulnerability that can let them establish unauthorized VPN connections on corporate devices.
The flaw, tracked as CVE-2026-0257, was patched earlier this month. Palo Alto initially rated it Medium severity, saying exploitation required devices to be configured with authentication override cookies enabled and a specific certificate setup. On Friday, the company revised its advisory, saying it had become aware of limited exploit attempts against unpatched PAN-OS devices without mitigations and raised the issue to High severity.
"GlobalProtect portal and gateway of Palo Alto Networks PAN-OS software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection," the company said in its advisory.
The update follows a separate warning from Rapid7, which said it had observed successful exploitation across numerous customers beginning May 17. Rapid7 said it did not see evidence of successful lateral movement from the affected devices, but noted that the vulnerability had been added to the CISA Known Exploited Vulnerabilities catalog as of May 29, 2026.
According to Rapid7, the attacks used forged authentication override cookies to authenticate to GlobalProtect gateways and target the local administrator account. The company said it first saw exploitation on May 18 from infrastructure hosted by Vultr, followed by a second wave on May 21 originating from Dromatics Systems.
In some cases, attackers were able to connect to devices over VPN using forged cookies and gain access to internal networks. In other incidents, the appliance accepted the forged cookie but a full VPN session could not be established.
Rapid7 said affected devices had GlobalProtect authentication override cookies enabled and were configured in a way that allowed attackers to forge valid cookies. The issue stems from PAN-OS’s validation process: the VPN device decrypts the cookie with a configured private key and trusts the decrypted contents without performing signature verification. If the same certificate is used for both HTTPS services and authentication override cookies, an attacker can obtain the public key through the HTTPS session and use it to create a cookie the device accepts as legitimate.
Sources:
Doppler VPN: 6 server locations, VLESS protocol, zero tracking. Get started free.