Attackers are exploiting a newly cataloged flaw in Palo Alto Networks GlobalProtect VPN software to forge authentication cookies and connect to corporate networks without ever entering a password. The vulnerability, tracked as CVE-2026-0257, describes an authentication bypass in the GlobalProtect portal and gateway that grants unauthorized VPN access. The National Vulnerability Database published the flaw and updated its analysis record on May 29, 2026, a timeline that suggests official tracking lagged behind real-world exploitation.
How a forged cookie replaces a stolen password
Traditional VPN attacks depend on phishing credentials or brute-forcing passwords. CVE-2026-0257 changes that equation. The NVD record describes the issue as an authentication bypass in the GlobalProtect portal and gateway that enables unauthorized VPN connections. Instead of needing a username and password pair, an attacker who can craft or forge the right session cookie walks straight through the login screen as though already authenticated. That means multifactor authentication prompts, password complexity rules, and credential rotation schedules offer no protection once the cookie forgery succeeds.
For any organization that routes remote employees, contractors, or third-party vendors through GlobalProtect, the exposure is direct. A successful exploit places an attacker inside the perimeter with the same network privileges as a legitimate VPN user. From there, lateral movement, data exfiltration, and ransomware staging all become possible without triggering the failed-login alerts that security teams typically monitor.
Because the flaw bypasses the entire credential layer, it undermines many organizations’ core assumptions about VPN risk. Security models that treat VPN authentication as a strong trust boundary suddenly inherit the weaknesses of the cookie generation and validation logic. If an attacker can produce a token that the portal accepts as valid, they gain the full benefit of that misplaced trust.
Late-May NVD timeline points to earlier exploitation
The NVD record for CVE-2026-0257 carries a change timestamp dated May 29, 2026, indicating that analysts completed their review and updated the entry on that date. The record also references both a vendor advisory and a CISA Known Exploited Vulnerabilities (KEV) catalog query link, according to the NVD detail page. The presence of a KEV reference is significant: CISA adds vulnerabilities to that catalog only when it has credible evidence of active exploitation against real targets.
Taken together, the sequence tells a clear story. Cookie-forging campaigns were already hitting production GlobalProtect deployments before the NVD entry was fully analyzed and before the KEV reference appeared in the record. Organizations that rely solely on NVD or KEV alerts for patch prioritization were, by definition, exposed during the gap between initial exploitation and official cataloging. The late-May change-record spike aligns with a pattern seen in previous high-profile VPN flaws: attackers discover and weaponize the bug, defenders scramble to confirm scope, and government databases catch up days or weeks later.
No public count of confirmed victims has been released by CISA or Palo Alto Networks as of the NVD update. The absence of that data does not diminish the risk. It reflects the typical lag between active exploitation and formal incident disclosure, a window during which affected organizations may not yet know they have been breached. For many GlobalProtect customers, the first sign of compromise may come from secondary indicators such as unusual internal traffic, unexpected data transfers, or alerts from downstream security tools rather than from the VPN itself.
Missing vendor patch timeline and open questions
Several pieces of the puzzle are still absent from the public record. Palo Alto Networks has not released the full text of its vendor advisory through the channels reflected in the NVD references, and no specific patch version or firmware update number has been confirmed in the available documentation. Without a clear patch release date, security teams cannot verify whether a fix is available, in testing, or still pending, complicating patch management and change-control planning.
Equally unclear is the technical mechanism behind the cookie forgery itself. The NVD description confirms the authentication bypass and its effect, but no public write-up from an independent security researcher has detailed the cryptographic or implementation weakness that makes forgery possible. That gap matters because defenders need to know whether short-term mitigations, such as rotating session secrets, tightening token lifetimes, or restricting portal access by IP range, can meaningfully reduce exposure while waiting for an official patch.
CISA’s KEV catalog entry, referenced in the NVD record, typically includes a remediation deadline for federal civilian agencies. Whether that deadline has been set, and what it requires, has not been confirmed in the available source material. Private-sector organizations are not bound by KEV deadlines, but many use them as a benchmark for their own patch cycles, especially when prioritizing which VPN or perimeter-facing vulnerabilities to address first.
Until Palo Alto Networks publishes detailed remediation guidance, organizations are left to balance operational continuity against uncertain risk. Some may opt for aggressive measures such as temporarily disabling external GlobalProtect access, while others will seek more targeted controls that preserve remote work capabilities. In both cases, the lack of precise technical detail forces defenders to make decisions under conditions of incomplete information.
What network defenders should do first
Any organization running GlobalProtect as its VPN solution should treat CVE-2026-0257 as an active threat, not a theoretical risk. The combination of confirmed NVD publication, a KEV catalog reference, and an authentication bypass that removes the need for credentials places this flaw in the highest-urgency category.
The first practical step is to check the Palo Alto Networks security advisory portal for firmware updates or configuration guidance specific to this CVE. If a patch exists, it should be scheduled for expedited testing and deployment, with particular attention to externally exposed portals and gateways. Where possible, organizations should also validate that all GlobalProtect components are running supported versions that are eligible to receive fixes.
If no patch is available yet, restricting GlobalProtect portal access to known IP ranges, enabling enhanced session logging, and monitoring for anomalous VPN connections from unexpected geographies can reduce the attack surface. Security teams should also review VPN session logs for connections that bypassed normal authentication workflows, a potential indicator that cookie forgery has already been used against their environment. Unusual patterns-such as sessions that appear without corresponding login events, or rapid reconnections from disparate locations-warrant deeper investigation.
Beyond immediate containment, organizations should revisit their broader remote-access architecture. Network segmentation, strict access controls on high-value systems, and the use of additional identity-aware proxies can help limit the blast radius if a forged cookie does grant VPN access. Incident response teams should also prepare playbooks tailored to GlobalProtect compromises, including steps for revoking active sessions, rotating any relevant secrets, and coordinating with Palo Alto Networks support if suspicious activity is detected.
Until more complete technical and remediation details emerge, the safest assumption is that motivated attackers will continue to probe GlobalProtect deployments for signs of this vulnerability. Defenders who move quickly to harden their portals, enhance monitoring, and plan for rapid patch deployment will be in a stronger position than those who wait for final advisories to arrive.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
