Hackers are actively exploiting a security flaw in Palo Alto Networks’ GlobalProtect VPN software, the company confirmed this week. The vulnerability, tracked as CVE-2026-0257, allows attackers to forge VPN credentials and slip into a company’s network as if they were a legitimate user — no password required. Palo Alto updated its advisory on Friday to warn that real-world attacks against unpatched devices had begun, and the US Cybersecurity and Infrastructure Security Agency (CISA) immediately added it to its list of known exploited vulnerabilities, ordering federal agencies to apply fixes by June 1, 2026.
The attacks take advantage of how GlobalProtect handles “authentication override cookies” — a feature that lets users stay logged in to VPNs without re-entering their password each time. When configured in a specific way, attackers can forge these cookies to impersonate legitimate users and gain network access. Researchers first observed exploitation attempts starting May 17, with follow-up waves detected on May 18 and May 21. If your workplace uses a Palo Alto firewall as its VPN gateway, your IT team needs to act immediately.
How to check if you’re affected
Affected versions include PAN-OS firewalls running GlobalProtect portal or gateway features with authentication override cookies enabled. Your IT or network team can check the firewall’s security advisory panel for CVE-2026-0257, or review Palo Alto’s official advisory at security.paloaltonetworks.com. As an immediate workaround, disabling the authentication override feature or generating a new dedicated certificate for it blocks the attack path. Palo Alto has released patches — if you manage a GlobalProtect deployment, apply them today.