Palo Alto Networks PAN-OS Authentication Vulnerability Bypass Exploited in the Wild

**CVE-2026-0257 (Palo Alto Networks GlobalProtect) — Active exploitation:** A flaw in the GlobalProtect "authentication override" cookie handling allows unauthenticated attackers who can obtain the public key from a reused HTTPS certificate to forge authentication cookies and establish unauthorized VPN connections. Rapid7 observed exploitation waves on May 17 and May 21, 2026 (source IPs including 104.207.144.154 and 146.19.216.119/120/125), with a consistent spoofed MAC (aa:bb:cc:dd:ee:ff) and machine names GP-CLIENT and DESKTOP-GP01; some victims received full VPN IP assignments. CISA added the issue to the KEV catalog, a public PoC exists, and vendor patches/mitigations are provided — immediate patching or disabling the feature is recommended.