31 May 2026 Vulnerability

Palo Alto GlobalProtect CVE-2026-0257: Actively Exploited VPN Auth Bypass — What Australian Organisations Must Do Now

A critical authentication bypass flaw in Palo Alto Networks' GlobalProtect VPN has been actively exploited since mid-May 2026, and CISA added it to its Known Exploited Vulnerabilities catalogue on 29 May 2026. Tracked as CVE-2026-0257, the flaw allows a remote unauthenticated attacker to forge session cookies and gain VPN access to an organisation's internal network — without ever supplying valid credentials. Australian businesses and government agencies that rely on PAN-OS GlobalProtect for remote access must act now.

Disclosure: This post contains affiliate links. We only recommend tools we've researched and trust. If you purchase through our links, we may earn a commission at no extra cost to you.

CVE-2026-0257 Added to CISA's Known Exploited Vulnerabilities Catalogue

On 13 May 2026, Palo Alto Networks published a security advisory for CVE-2026-0257, a vulnerability in PAN-OS that affects devices running GlobalProtect — the company's enterprise VPN and network access product used by organisations worldwide, including thousands of Australian businesses, government agencies, and managed service providers.

At the time of initial disclosure, Palo Alto rated the flaw as Medium severity, noting that exploitation required a specific non-default configuration to be present. That assessment changed quickly. Security research firm Rapid7 reported the earliest observed exploitation on 17 May 2026, originating from infrastructure hosted at Vultr, a cloud provider commonly used to stage attack infrastructure. A second wave of exploitation arrived on 21 May 2026, observed by Rapid7's managed detection and response (MDR) team, this time with attackers operating from a hosting provider called Dromatics Systems. In that second wave, Rapid7 confirmed that attackers were successfully assigned VPN IP addresses following forged cookie authentication — meaning they had genuine, functional access to target organisations' internal networks.

CISA acted on 29 May 2026, adding CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalogue. United States federal agencies are required to patch by 19 June 2026. Australia's ACSC closely tracks CISA's KEV entries; Australian government entities subject to the Information Security Manual (ISM) and ASD Essential Eight controls should treat this as a high-priority patch item regardless of a separate formal ACSC advisory being published.

Palo Alto Networks updated the severity rating to High following confirmed exploitation and has released patched versions of PAN-OS. The vendor advisory at security.paloaltonetworks.com/CVE-2026-0257 contains the authoritative version matrix and mitigation guidance.

Why Australian Organisations Are Directly Exposed

GlobalProtect is not a niche product. Palo Alto Networks firewalls and VPN infrastructure are standard deployments across Australian government, healthcare, financial services, and large enterprise environments. Australian managed service providers routinely deploy GlobalProtect for client organisations — which means a single MSP running an unpatched Palo Alto firewall can serve as an access vector into multiple client networks simultaneously.

This exposure pattern is not hypothetical. Australia saw exactly this dynamic in April 2026 when CVE-2026-41940, a critical cPanel authentication bypass with a CVSS score of 9.8, was weaponised against MSP infrastructure and used to reach downstream customers. According to reporting from Ctrl-Alt-Intel and Censys, at least 44,000 IP addresses were observed engaging in scanning and brute-force activity within 24 hours of that vulnerability's public disclosure. The threat actor playbook is consistent: identify a product widely deployed by MSPs, exploit it, then fan out across the customer base. CVE-2026-0257 fits that template precisely.

For CVE-2026-0257, the stakes are particularly high because VPN access is effectively the same as being inside the network. Once an attacker has a valid VPN IP assignment, they appear to the internal network as a legitimate remote worker. They can traverse internal subnets, reach shared file systems, access internal-only applications, and conduct lateral movement that bypasses perimeter defences entirely. The forged session cookie means they never need to own a valid user account — credential verification is circumvented at the VPN gateway before any application-layer authentication is reached.

Australia's Privacy Act 1988 and the Notifiable Data Breaches (NDB) scheme require organisations to notify the Office of the Australian Information Commissioner (OAIC) when a breach is likely to result in serious harm to affected individuals. A VPN intrusion that reaches internal systems — payroll databases, customer records, healthcare data — almost certainly triggers that threshold. The regulatory cost of failing to patch this vulnerability substantially exceeds the operational effort of applying available fixes.

How CVE-2026-0257 Works: The Authentication Override Flaw Explained

The Authentication Override Feature

GlobalProtect includes an optional feature called "authentication override," which allows portals and gateways to issue session cookies to successfully authenticated users. When the feature is enabled, returning users can present a previously-issued session cookie rather than re-entering their credentials — a common usability improvement in VPN deployments that require frequent reconnections, such as split-tunnel configurations or environments with short session timeouts. The feature is disabled by default and requires deliberate administrator configuration to activate.

The Certificate Configuration Flaw

The vulnerability is triggered when two conditions are both simultaneously true:

Authentication override is enabled on a GlobalProtect portal or gateway.
The certificate used to encrypt and decrypt the authentication override cookies is the same certificate used for the HTTPS service of that portal or gateway.

When the authentication override certificate is shared with the HTTPS service, an attacker can forge a valid-appearing authentication override cookie. Because the certificate is not unique to the authentication override function, the GlobalProtect gateway cannot distinguish a legitimately-issued cookie from a crafted one. The attacker presents the forged cookie, the gateway accepts it, and issues the attacker a VPN session — including an internal IP address drawn from the gateway's address pool.

Rapid7's analysis of the observed exploitation activity confirmed that this forged-cookie approach successfully yielded VPN IP assignments in the May 21 wave, granting attackers a foothold inside target internal networks. The attack origin infrastructure — Vultr in the first wave and Dromatics Systems in the second — was distinct enough to suggest multiple independent threat actors exploiting the same flaw, consistent with what typically occurs after a proof-of-concept becomes publicly available.

Affected PAN-OS Versions and Fixed Builds

Palo Alto Networks has released patched builds across the supported PAN-OS release train. Verified fixed versions, per the Palo Alto Networks security advisory, include:

PAN-OS 12.1.4-h6 and 12.1.7
PAN-OS 11.2.12
PAN-OS 11.1.15
PAN-OS 10.2.18-h6

Organisations using Prisma Access — Palo Alto's cloud-delivered secure access service edge (SASE) offering — are also affected and should verify their patch status through the Prisma Access dashboard. The full version matrix including legacy branch guidance is available in the official advisory.

Immediate Actions for Australian Organisations

For Palo Alto GlobalProtect Deployments

The first task is determining whether your environment is vulnerable. Log into your Palo Alto management console and check whether authentication override is enabled on any GlobalProtect portal or gateway. Navigation path: Network > GlobalProtect > Portals (or Gateways) > Agent > Authentication. If authentication override is enabled, confirm whether the override certificate is the same certificate used for the HTTPS service of that portal or gateway.

If authentication override is enabled and the certificate is shared, you have two remediation paths:

Patch to a fixed version. This is the recommended approach. Upgrade to one of the fixed PAN-OS builds listed in the previous section. Patching addresses the root cause and does not require disabling any existing functionality.
Interim certificate mitigation. If an immediate upgrade is operationally impractical, generate a new certificate exclusively for the authentication override feature — separate from the certificate used by the HTTPS portal or gateway service. This breaks the exploit chain without requiring a software upgrade. Alternatively, disable the authentication override feature entirely if session cookie convenience is not operationally critical.

Palo Alto Networks recommends using dedicated certificates for authentication override as a security best practice even in configurations that are not currently vulnerable to CVE-2026-0257.

For Australian MSPs and IT Providers

Managed service providers should conduct an immediate audit across every Palo Alto GlobalProtect deployment in their customer portfolio. Given that MSPs routinely manage dozens to hundreds of Palo Alto devices, a single missed patch across one customer's environment represents a potential pivot point into that entire MSP-managed estate. Proactively contact customers whose environments include GlobalProtect, document patch status, and escalate to customers who rely on authentication override as a user-experience feature — they will need to plan either an upgrade or a certificate remediation.

The Rapid7 incident analysis provides network-level indicators of compromise from both exploitation waves that MSP SOC and monitoring teams can use to identify retrospective exposure.

For Australian Small and Medium Businesses

Not every Australian SMB operates Palo Alto enterprise hardware. Many rely on simpler VPN arrangements — either provided through their internet service provider or via a commercial VPN service for remote work connectivity. If your business uses a consumer or business-grade VPN service, the key question is whether that provider defaults to secure configurations and maintains a strong patching cadence without requiring manual certificate management on your part.

Commercial VPN services such as NordVPN operate on a fundamentally different threat model than enterprise VPN appliances. There is no authentication override cookie feature to misconfigure, no certificate sharing scenario to manage, and no on-premises appliance that requires manual firmware upgrades. The underlying protocol stack — based on WireGuard (NordLynx) — is maintained and patched centrally by the provider. For Australian SMBs without dedicated network security staff, this removes an entire category of configuration vulnerabilities that only arise when administering enterprise-grade network infrastructure.

This is not an argument for replacing genuine enterprise infrastructure with consumer VPN tools in environments that operationally require GlobalProtect's feature set. It is a relevant observation that configuration complexity introduces risk — and that complexity should be matched to the security capability available to manage it.

Building a Resilient Remote Access Posture

CVE-2026-0257 is a reminder that remote access infrastructure — the very tools designed to extend secure connectivity to remote workers — can become a primary attack surface when misconfigured or left unpatched. This pattern does not belong to any single vendor. Authentication bypass vulnerabilities have emerged this year in Cisco SD-WAN, Fortinet FortiClient, cPanel WHM, and now Palo Alto GlobalProtect. The common thread is not vendor negligence; it is the inherent difficulty of maintaining complex, multi-feature network security products in environments with limited security staffing.

Layer MFA Beyond the VPN Gateway

CVE-2026-0257 demonstrates why VPN-layer authentication is not a sufficient single control. An attacker who forges an authentication override cookie bypasses the credential verification step at the VPN gateway entirely. However, if an organisation has deployed multi-factor authentication (MFA) at the application or identity-provider level — rather than exclusively at the VPN gateway — that layer of protection remains intact even when the VPN authentication is compromised. A forged cookie grants VPN network access; it does not automatically grant access to an MFA-protected application or cloud service.

Australian organisations should treat VPN authentication as a perimeter control, not a complete access control solution. The ACSC's Essential Eight recommends MFA for all remote access solutions and for all internet-facing services — applying MFA at multiple layers creates defence in depth that single-point compromises cannot bypass.

Segment the Internal Network

When an attacker gains VPN access, the blast radius depends heavily on internal network segmentation. A flat network — where any VPN user can reach every server, database, and endpoint — transforms a VPN compromise into a full breach. If internal systems are segmented into security zones, an attacker assigned a VPN IP address is constrained to the access rights of the VPN user pool, not free movement across the entire estate.

Many Australian SMBs operate with flat internal networks as a consequence of constrained IT resources. Reviewing internal segmentation is one of the highest-return investments a small business can make in incident containment planning.

Monitor for Anomalous VPN Sessions

The two exploitation waves identified by Rapid7 carried distinct infrastructure fingerprints: Vultr-hosted IPs in the first wave and Dromatics Systems IPs in the second. These are the kinds of signals that a network monitoring or SIEM solution can detect — unusual VPN connection origins, off-hours IP assignments, and internal traffic patterns that don't match established user baselines. If your organisation's monitoring does not cover VPN session metadata, this incident is a sound justification for addressing that gap.

ACSC Essential Eight Alignment

Australia's ACSC Essential Eight patching guidance specifies that internet-facing services should be patched within 48 hours of a critical patch becoming available. CVE-2026-0257 patches have been available since mid-May 2026; under Essential Eight Maturity Level 2 and above, Australian organisations should have applied them within that window. If your organisation is not yet at that patching cadence for internet-facing services, this incident provides a clear accountability argument for accelerating it.

For businesses using NordVPN or equivalent provider-managed services for employee VPN connectivity, the provider handles patching of the underlying server and protocol infrastructure centrally — removing one dimension of the patch-management burden. That does not eliminate the organisation's patching obligations in other areas, but it does address the VPN layer specifically and removes the manual version-upgrade workflow that enterprises with on-premises Palo Alto appliances must manage.

The broader lesson from CVE-2026-0257 is that security products require exactly the same disciplined maintenance applied to operating systems and applications — and in some respects more, because a compromise of a security product provides a trusted position inside the network from which subsequent attacks originate. Treat your VPN infrastructure as a priority patch target, not as an assumed-secure control.