Freedom

Palo Alto VPN Flaw Under Active Exploit; CISA Adds to Federal Mandate

HyperSinc Intelligence/JUNE 17, 2026

A critical authentication bypass in Palo Alto's widely-deployed GlobalProtect VPN is being actively exploited to breach corporate networks without valid credentials, forcing federal patching deadlines.

Palo Alto VPN Flaw Under Active Exploit; CISA Adds to Federal Mandate

4 min read

TL;DR

→Palo Alto Networks' CVE-2026-0257 bypasses GlobalProtect VPN authentication via forged cookies; CISA confirmed active exploitation across multiple organizations starting May 17.
→The flaw affects any enterprise relying on GlobalProtect when authentication override is enabled, letting unauthenticated attackers establish VPN tunnels directly into corporate networks.
→CISA added the vulnerability to its Known Exploited Vulnerabilities catalog in early June, triggering federal contractor patching mandates. Monitor exploitation waves and lateral-movement activity post-authentication.

On May 18, 2026, Rapid7's managed detection team noticed something odd: a series of suspicious authentication attempts against GlobalProtect VPN appliances across multiple customer environments, all from the same Vultr-hosted IP block. The attackers were not guessing passwords. They were crafting forged session cookies and watching the appliances accept them without question. By the time Palo Alto Networks officially disclosed the flaw on May 13, tracking it as CVE-2026-0257, an authentication bypass in the GlobalProtect portal and gateway, attackers began exploiting the vulnerability four to five days later. Two weeks later, the U.S. Cybersecurity and Infrastructure Security Agency added it to its Known Exploited Vulnerabilities catalog, triggering mandatory patching deadlines for federal contractors and critical infrastructure operators. The severity rating had been upgraded from 4.7 to 7.8 (High) by the time the exploitation waves were confirmed.

The technical mechanism is straightforward and damning. Palo Alto's GlobalProtect relies on cookies to authenticate users, but the appliances do not perform detailed validation or integrity checking on those cookies before establishing a VPN tunnel. An attacker who can forge or replay a valid authentication cookie can bypass the entire authentication layer, no password, no multi-factor authentication, no credential required. Rapid7 observed this happening in the wild: across multiple monitored customer environments, attackers successfully authenticated using forged cookies and established VPN connections on May 18 and again on May 21, originating from different infrastructure providers. Palo Alto Networks now advises organizations to look for sessions originating from Windows 10 Pro 64-bit endpoints with an empty domain field in the source user record, a signature of the exploitation activity. In at least 8 out of 10 of Rapid7's managed detection response customers, the appliance accepted the forged cookie but failed to establish a full VPN session; full VPN access was achieved only in a minority of cases.

The scope is massive. GlobalProtect is the standard VPN solution deployed across thousands of enterprises and every federal agency that runs Palo Alto firewalls. Any organization with GlobalProtect portal or gateway configured, authentication override cookies enabled, and a specific certificate configuration in place is vulnerable. The earliest confirmed exploitation traces back to May 17–18, 2026, four to five days after the public disclosure on May 13. That timing gap is significant: it suggests the vulnerability was discovered through public disclosure and attackers quickly developed working exploits. Either way, the attacker community had an operational exploit live and was actively probing corporate networks for unpatched appliances within days. Rapid7 assessed both exploitation waves as the work of a single threat actor, citing a consistent spoofed MAC address across both campaigns; the use of different infrastructure providers reflects infrastructure rotation rather than distinct threat actors.

What makes this critical for end-users, not just security teams, is that it bypasses the one control that was supposed to protect remote-access networks. A corporate VPN is meant to be the perimeter. If an attacker can authenticate to it without valid credentials, they have direct access to internal networks, file servers, and whatever is behind that firewall. Palo Alto Networks has not reported widespread post-exploitation activity or lateral movement so far, but that is likely because the exploitation is still in early reconnaissance phase, attackers are testing which organizations are vulnerable and which are patched. Once the attacker establishes a VPN tunnel, they have a persistent, authenticated foothold that is much harder to detect than an external probe. The lack of observed lateral movement at this stage does not mean the vulnerability is low-impact. It means the attack is just beginning.

The federal mandate matters because it forces a speed floor. CISA's Known Exploited Vulnerabilities catalog means federal contractors, defense industrial base companies, and critical infrastructure operators have hard patching deadlines or contractual consequences. For the rest of the market, this is a race: organizations that patch in the next 48 to 72 hours protect themselves; organizations that patch in the next two weeks face significant risk. Attackers are already scanning for vulnerable appliances. The window for silent exploitation, where an attacker establishes a VPN tunnel and sits quietly on the network, is measured in days, not weeks. Every unpatched GlobalProtect instance is an open door.

Watch three markers over the next two weeks. First: whether post-exploitation activity spikes after the patching rush slows (mid-to-late June). Attackers may have let valid VPN sessions sit dormant specifically for this reason. Second: whether additional threat intelligence emerges linking specific attack infrastructure to known APT groups or criminal organizations, that will tell us whether this was discovered by accident or targeted hunting. Third: whether any of the 'successful authentication probes using forged cookies' that Rapid7 observed actually executed lateral movement that was detected only later, weeks into the intrusion. The lack of observed post-exploitation activity is the least reliable indicator at this stage.

Key Takeaways

An authentication bypass in enterprise VPN infrastructure is live in the wild and federal agencies have mandated patching, this is not a theoretical risk.
Attackers are forging session cookies, not brute-forcing credentials, which means standard password security practices offer no defense against this vector.
Organizations relying on GlobalProtect for remote-access security are discovering their perimeter trust model was broken by a flaw in cookie validation, a foundational mistake that affects millions of end-users whose network access depends on that appliance.

What it meansMillions of corporate employees accessing networks through Palo Alto GlobalProtect are vulnerable to unauthorized VPN penetration by unauthenticated attackers exploiting a broken cookie-validation mechanism, forcing emergency patching across federal contractors and critical infrastructure operators.

DISCLAIMER

This article is for informational purposes only and does not constitute financial, investment, legal, or tax advice.

SOURCES

← Back to HyperSinc