CVE-2026-0257 Exploitation: A Critical Threat to Palo Alto Networks Customers
Researchers and threat hunters are scrambling to respond to an actively exploited authentication-bypass vulnerability affecting Palo Alto Networks customers’ firewalls. The company initially tagged CVE-2026-0257 with a medium-severity rating when it disclosed the defect on May 13, but quickly reassessed it as critical after Rapid7 observed and confirmed active exploitation in the wild.
The Cybersecurity and Infrastructure Security Agency followed suit, and added the vulnerability to its known exploited vulnerabilities catalog on Friday. The escalated threat posed by the defect, which allows remote attackers to bypass security restrictions and establish a VPN connection to an affected firewall, showcases how quickly a seemingly mild vulnerability can turn into an urgent warning.
Impact and Exploitation
Palo Alto Networks is actively monitoring limited exploitation attempts targeting CVE-2026-0257 on unpatched PAN-OS devices where mitigations have not been applied, according to a company spokesperson. The company on Friday urged all customers to immediately apply the patch or follow its recommended steps for mitigation.
Douglas McKee, director of vulnerability intelligence at Rapid7, warned:
We’ve continued to see new victims roll in, including a couple of customers hit within just an hour of each other during a second wave of activity on May 21.Yet, the vendor and Rapid7 declined to say how many organizations are impacted thus far.
Trend and Analysis
Jake Knott, security researcher at watchTowr, told CyberScoop that the vulnerability and resulting exploits follow a recurring trend wherein attackers target exposed network edge devices and rapidly identify, develop and weaponize exploits for initial access. This is yet another authentication bypass on a device whose sole job is to guard the front door to an organization’s network, he said.
Caitlin Condon, vice president of security research at VulnCheck, explained that the vulnerability has a few requisites that limit exposure, specifically posing risk to some Palo Alto Networks customers running GlobalProtect portal or gateway configured to enable authentication override cookies. The cookie encryption and decryption certificate must be reused with another feature, which potentially exposes the public key for that certificate, she said.
Attacker Behavior and Objectives
Rapid7 said the same attacker or group is likely responsible for both waves of exploitation last month, but in many cases attackers are not establishing a full VPN connection or moving to other parts of the impacted network. The attackers are highly opportunistic and clearly monitor the security research community, McKee said.
Researchers have not attributed the malicious activity to any specific threat groups.
Their exact origins and long-term objectives remain unclear, as they currently seem focused purely on opportunistic initial access rather than targeted, long-term espionage, McKee said.
Conclusion and Recommendations
Palo Alto Networks said it discovered the vulnerability internally through its use of frontier AI tools. Yet, within days of its public disclosure, initial assessments were proven inadequate. Organizations that wait for confirmation of active exploitation before patching will consistently find themselves reacting too late, Knott said.
- Palo Alto Networks customers should immediately apply the patch or follow the recommended steps for mitigation.
- Organizations should prioritize vulnerability management and patching to prevent exploitation.
- Security researchers and threat hunters should continue to monitor the situation and provide updates on the vulnerability and its exploitation.
Source: CyberScoop