CVE-2026-0257: Rapid7 Caught Attackers Abusing Forged VPN Cookies Against Multiple Customers

Rapid7 confirmed active exploitation of CVE-2026-0257 in Palo Alto GlobalProtect: attackers can forge auth cookies (when a cookie encryption certificate is reused with HTTPS) to bypass VPN authentication and in some cases obtain internal network access; Rapid7 observed two exploitation waves starting May 17, published a PoC and IoCs, and recommends patching or disabling the authentication-override feature or using a dedicated cookie certificate.