A VPN Bug That Forges Its Own Credentials
Palo Alto Networks is contending with active exploitation of CVE-2026-0257, an authentication bypass in the GlobalProtect portal and gateway components of PAN-OS. The flaw lets a remote, unauthenticated attacker forge authentication override cookies and establish an unauthorized VPN session into a target network. Severity ratings have varied across trackers from 7.8 to 9.1, but the practical impact is the same regardless of the number: an attacker who reaches the GlobalProtect interface can walk in as if they had valid credentials, then pivot toward the internal resources the VPN was meant to protect.
The root cause is a familiar one for edge devices. According to the technical analysis, affected firewalls rely on cookies but fail to perform detailed validation and integrity checking, and the issue surfaces when authentication override cookies are enabled alongside a specific certificate configuration. Palo Alto addressed the vulnerability on May 13, but the conditions that make it exploitable are common in real deployments. Edge appliances that terminate VPN traffic sit at the most sensitive seam of the network, and a cookie-validation gap there is exactly the kind of flaw that turns a perimeter device into an open door.
From Disclosure to Mass Exploitation in Days
The timeline is what makes this case urgent. Rapid7 confirmed active exploitation across multiple customer environments roughly two weeks after the May 13 fix, documenting two distinct waves. The first began around May 18 from infrastructure hosted by Vultr, and a second appeared on May 21 originating from a provider identified as Dromatics Systems. In both, attackers used forged authentication override cookies aimed at the local administrator account. CISA added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog on May 29, setting a federal remediation deadline of June 1 and signaling that the threat was no longer theoretical.
On June 9, Palo Alto's Unit 42 published its own threat brief documenting exploitation by an unidentified threat actor probing GlobalProtect interfaces at scale. Notably, Unit 42 reported that only a small portion of probed devices actually established VPN sessions, with no post-access lateral movement observed at the time of publication. That is cold comfort. The gap between a fixed patch and proof-of-concept code was measured in days, and the speed at which commodity attackers picked it up confirms a pattern we keep seeing: VPN and firewall bugs are now weaponized faster than most enterprises can schedule a maintenance window.
The Edge Device Problem, Again
CVE-2026-0257 lands in a year already crowded with edge-appliance disasters. Check Point's IKEv1 VPN flaw, the FortiBleed credential leak, and the FortiSandbox exploitation wave have all hit in recent weeks, and the through-line is the same: the very devices organizations buy to keep attackers out have become the most reliable way in. These boxes are internet-facing by design, run proprietary software that defenders cannot easily inspect, and are frequently left unpatched because taking down the VPN means taking down remote access for the whole company.
We have reached the point where security teams should treat every internet-facing VPN concentrator as a high-probability breach vector rather than a trusted control. The forged-cookie technique in this case is particularly insidious because it produces what looks like legitimate authenticated activity. An attacker riding a forged override cookie does not trip failed-login alarms, and the resulting VPN session can blend into normal remote-work traffic. Detection has to move beyond authentication failures toward anomalies in session origin, device identifiers, and post-connection behavior.
Indicators and Detection
Unit 42 published a concrete set of indicators that defenders should operationalize immediately. The threat brief lists malicious source addresses including 23.128.228.6, 104.207.144.154, the 146.19.216.119 through 125 range, 179.43.172.213, 185.195.232.139, 198.12.106.60, and 202.144.192.47. It also flagged suspicious host identifiers used in the forged sessions, including obviously synthetic MAC addresses such as aa:bb:cc:dd:ee:ff and 00:11:22:33:44:55, and placeholder hostnames like WINDOWS-LAPTOP-001, DESKTOP-GP01, and GP-CLIENT.
Those host identifiers are a gift to defenders because they are sloppy. Real corporate endpoints do not announce themselves with textbook-example MAC addresses or generic hostnames, so any GlobalProtect session presenting these values should be treated as malicious on sight. Teams should hunt their VPN logs back to mid-May, alert on the listed source IPs, and specifically scrutinize override-cookie authentications targeting local administrator accounts. The presence of these markers is not just a sign of attempted exploitation, it is a strong indicator that someone reached the interface and tried to forge their way in.
What To Do Now
The remediation path is direct. Organizations running GlobalProtect should confirm they have applied the May 13 fix and, critically, review whether authentication override cookies are enabled in combination with the vulnerable certificate configuration. Where that configuration is not strictly required, it should be disabled to remove the precondition for exploitation entirely. Federal agencies were already bound by the June 1 CISA deadline, but the private sector has no such forcing function and the exploitation data suggests many enterprises remain exposed.
Beyond the immediate patch, this incident reinforces a hard truth about VPN architecture. A single appliance flaw should not grant network-wide access, yet that is precisely what GlobalProtect compromise enables in flat networks. The defensible posture is to assume the VPN tier can fall and to segment accordingly, placing strong internal authentication and monitoring behind the perimeter so that a forged session lands an attacker in a contained zone rather than the open network. Edge devices will keep failing. The question is whether your architecture treats that failure as catastrophic or merely inconvenient.
