Your VPN just let someone in without a password.
Your VPN just let someone in without a password.
Not because they guessed it. Not because someone clicked a phishing link. Because the authentication check never happened at all.
CVE-2026-0257 is an authentication bypass in Palo Alto Networks PAN-OS that affects GlobalProtect portal and gateway. The flaw is subtle: when the certificate used to encrypt authentication override cookies is shared with another interface (HTTPS), the decryption process performs no signature verification. An attacker who retrieves the public key from the exposed HTTPS certificate can forge a valid authentication cookie and establish a full VPN connection â no credentials required.
Active exploitation started May 17. A second wave hit May 21, this time from a dedicated hosting provider. CISA added it to the Known Exploited Vulnerabilities catalog with a federal deadline of June 1.
The uncomfortable part: this isn’t an obscure edge case. GlobalProtect is deployed at thousands of enterprises as the primary remote access control point. An unauthenticated VPN connection means an attacker is inside your network, looking like a legitimate user from the moment they connect.
This is the sixth major edge device exploited in 2026. FortiGate, Cisco SD-WAN, Ivanti EPMM, SonicWall, Cisco again â now Palo Alto. The pattern is no longer a vendor problem. It is a product category problem.
Next 48 hours: – Patch to PAN-OS 11.2.12, 11.1.15, 10.2.18-h6, 12.1.4-h6, or 12.1.7 – Review VPN connection logs for anomalous session establishment without corresponding MFA events – If certificate sharing between GlobalProtect and HTTPS is configured, treat it as priority-one until patched
Links for a deeper technical dive are in the comments.
For those who want a deeper dive into this topic:
