PAN-OS GlobalProtect Authentication Bypass Flaw Under Active Exploitation

A critical authentication bypass (CVE-2026-0257) affecting Palo Alto Networks PAN-OS and Prisma Access GlobalProtect is being actively exploited; attackers can forge authentication override cookies (due to lack of signature verification in gpsvc) to establish unauthorized VPN sessions. Rapid7 observed exploitation waves on May 17 and May 21, 2026—including spoofed MAC addresses and hosting-provider source IPs—some resulting in full VPN IP assignments and internal network access; CISA added the CVE to its KEV catalog and a public proof-of-concept is available. The report provides IOCs (IPs, spoofed MAC, machine names) and urgent mitigations: apply vendor patches, disable the auth-override feature if unused, and segregate the certificate used for cookie encryption.