Palo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks

Palo Alto Networks and Rapid7 report active exploitation of PAN-OS GlobalProtect CVE-2026-0257, an authentication override cookie validation flaw that can let attackers forge cookies to authenticate to VPN gateways; Rapid7 observed exploitation from May 17–21, created a PoC, and CISA added the vulnerability to its KEV, while recommended mitigations include installing vendor patches, disabling authentication override cookies, or using separate certificates.