Company

ABOUT ESENTIRE

eSentire is The Authority in Managed Detection and Response Services, protecting the critical data and applications of 2000+ organizations in 80+ countries from known and unknown cyber threats. Founded in 2001, the company’s mission is to hunt, investigate and stop cyber threats before they become business disrupting events.

About Us Leadership Careers Event Calendar → Newsroom → Aston Villa Football Club →

EVENT CALENDAR

Jun

June TRU Intelligence Briefing

Jun

Kansas City FutureCon

Jun

Elevate Tech Summit

Jun

Dutch IT Security Day

Jul

July TRU Intelligence Briefing

View Calendar

LATEST PRESS RELEASE

May 26, 2026 eSentire Advances Controlled Autonomy SecOps with Agentic AI That Preempts, Detects, and Responds in a Single Unified Platform Read More

View Newsroom

OUR PARTNERSHIPS

Aston Villa Football Club

AVFC takes its cyber protection to the Next Level with eSentire as its official cybersecurity partner.

Learn More

Threat Actors Exploit GlobalProtect Vulnerability CVE-2026-0257

June 1, 2026

3 MINS READ

Share this article

THE THREAT

On May 29th, 2026, Palo Alto Networks updated its advisory to confirm active exploitation of an authentication bypass vulnerability in PAN-OS GlobalProtect portal and gateway components. The vulnerability is tracked as CVE-2026-0257 (CVSS: 7.8); exploitation would allow the attacker to bypass security restrictions and establish an unauthorized VPN connection. Palo Alto Networks originally published the advisory on May 13th, 2026, and the May 29th update provided confirmation of limited exploit attempts.

eSentire has identified exploitation of CVE-2026-0257. As exploitation of the flaw is now confirmed, organizations are recommended to apply the relevant security patches immediately.

What we're doing about it

eSentire's Threat Response Unit (TRU) has developed threat detections within MDR for Network and is actively evaluating threat detection capabilities within MDR for Log
eSentire Managed Vulnerability Service (MVS) has plugin in place to identify devices vulnerable to CVE-2026-0257
eSentire's TRU team has conducted threat hunts within MDR for Log to identify known indicators of compromise
eSentire's TRU is actively tracking this incident for additional details and detection opportunities

What you should do about it

After performing a business impact review, apply the vendor provided security patches
As temporary mitigations, Palo Alto Networks recommends either disabling the authentication override feature entirely or generating a new certificate used exclusively for authentication override

Additional information

CVE-2026-0257 is an authentication bypass vulnerability in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS software, which allows the attacker to bypass security restrictions and establish an unauthorized VPN connection. The vulnerability impacts systems where GlobalProtect is enabled with authentication override cookies configured alongside specific certificate settings. In such scenarios, attackers can bypass authentication controls and successfully create VPN sessions without valid credentials. Panorama and Cloud Next-Generation Firewall (Cloud NGFW) are explicitly not affected by this issue.

Rapid7 identified two exploitation waves affecting multiple organizations, with both waves assessed as likely originating from a single threat actor based on a consistent device identifier. The first wave, observed May 17th, involved suspicious cookie authentication to local admin accounts across multiple customer environments. The second wave, observed May 21st, resulted in VPN Internet Protocol (IP) address assignment following cookie authentication, granting attackers access to internal networks.

A publicly available Proof-of-Concept (PoC) script has also been developed by Rapid7 Labs to help determine whether their PAN-OS GlobalProtect appliances are vulnerable to CVE-2026-0257. This PoC enables security teams and administrators to safely validate exposure by simulating the authentication bypass condition under controlled circumstances.

In response to active exploitation, the vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, with federal agencies required to remediate by June 1st, 2026, highlighting the urgency of addressing this issue.

Organizations using affected PAN-OS or Prisma Access deployments should take immediate action by applying available security patches from Palo Alto Networks. As interim mitigations, administrators are advised to disable authentication override functionality if it is not required or to generate a new certificate dedicated to this feature.

Impacted Product List
Versions	Affected	Unaffected
Cloud NGFW	None	All
PAN-OS 12.1	< 12.1.4-h6	>= 12.1.4-h6
PAN-OS 12.1	< 12.1.7	>= 12.1.7
PAN-OS 11.2	< 11.2.4-h17	>= 11.2.4-h17
	< 11.2.7-h14	>= 11.2.7-h14
	< 11.2.10-h7	>= 11.2.10-h7
	< 11.2.12	>= 11.2.12
PAN-OS 11.1	< 11.1.4-h33	>= 11.1.4-h33
	< 11.1.6-h32	>= 11.1.6-h32
	< 11.1.7-h6	>= 11.1.7-h6
	< 11.1.10-h25	>= 11.1.10-h25
	< 11.1.13-h5	>= 11.1.13-h5
	< 11.1.15	>= 11.1.15
PAN-OS 10.2	< 10.2.7-h34	>= 10.2.7-h34
	< 10.2.10-h36	>= 10.2.10-h36
	< 10.2.13-h21	>= 10.2.13-h21
	< 10.2.16-h7	>= 10.2.16-h7
	< 10.2.18-h6	>= 10.2.18-h6
Prisma Access 11.2.0	< 11.2.7-h13*	>= 11.2.7-h13*
Prisma Access 10.2.0	< 10.2.10-h36*	>= 10.2.10-h36*

References:
[1] https://security.paloaltonetworks.com/CVE-2026-0257
[2] https://nvd.nist.gov/vuln/detail/cve-2026-0257
[3] https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/
[4] https://www.cisa.gov/news-events/alerts/2026/05/29/cisa-adds-one-known-exploited-vulnerability-catalog
[5] https://www.cisa.gov/known-exploited-vulnerabilities-catalog
[6] https://github.com/sfewer-r7/CVE-2026-0257

Back to Security Advisories

Speak With A Security Expert Now

TALK TO AN EXPERT

Security advisories