Researchers and threat hunters are scrambling to respond to an actively exploited authentication-bypass vulnerability affecting Palo Alto Networks customers’ firewalls.
The company initially tagged CVE-2026-0257 with a medium-severity rating when it disclosed the defect May 13, but quickly reassessed it as critical after Rapid7 observed and confirmed active exploitation in the wild. The Cybersecurity and Infrastructure Security Agency followed suit, and added the vulnerability to its known exploited vulnerabilities catalog Friday.
The escalated threat posed by the defect, which allows remote attackers to bypass security restrictions and establish a VPN connection to an affected firewall, showcases how quickly a seemingly mild vulnerability can turn into an urgent warning.
“Palo Alto Networks is actively monitoring limited exploitation attempts targeting CVE-2026-0257 on unpatched PAN-OS devices where mitigations have not been applied,” a company spokesperson said in a statement. The company on Friday urged all customers to immediately apply the patch or follow its recommended steps for mitigation.
The vendor and Rapid7, which first observed exploitation May 17 in a customer environment, declined to say how many organizations are impacted thus far. Yet, Douglas McKee, director of vulnerability intelligence at Rapid7, warned: “We’ve continued to see new victims roll in, including a couple of customers hit within just an hour of each other during a second wave of activity” on May 21.
Jake Knott, security researcher at watchTowr, told CyberScoop the vulnerability and resulting exploits follows a recurring trend wherein attackers target exposed network edge devices and rapidly identify, develop and weaponize exploits for initial access.
“This is yet another authentication bypass on a device whose sole job is to guard the front door to an organization’s network,” he said. “What stands out is how simple it is — an attacker can forge a valid authentication cookie using nothing more than the appliance’s publicly available TLS certificate. The entire exploit is a single HTTP request.”
The vulnerability has a few requisites that limit exposure, specifically posing risk to some Palo Alto Networks customers running GlobalProtect portal or gateway configured to enable authentication override cookies.
“The cookie encryption and decryption certificate must be reused with another feature, which potentially exposes the public key for that certificate,” said Caitlin Condon, vice president of security research at VulnCheck.
“It’s difficult to say how many deployments meet those criteria for exploitability, but Palo Alto Networks firewalls have a very large footprint, which means even uncommon configurations can present significant attack surface area,” she added.
Rapid7 said the same attacker or group is likely responsible for both waves of exploitation last month, but in many cases attackers are not establishing a full VPN connection or moving to other parts of the impacted network.
The attackers are “highly opportunistic and clearly monitor the security research community,” McKee said. “Attackers are purposefully weaponizing medium-severity vulnerabilities, which are typically lower priority or blind spots for organizations.”
Multiple threat clusters are swarming to the opportunity and quickly adapting to published research. Researchers have not attributed the malicious activity to any specific threat groups.
“Their exact origins and long-term objectives remain unclear, as they currently seem focused purely on opportunistic initial access rather than targeted, long-term espionage,” McKee said.
Palo Alto Networks said it discovered the vulnerability internally through its use of frontier AI tools. Yet, within days of its public disclosure, initial assessments were proven inadequate.
“This is a pattern we continue to see — the urgency only arrives after exploitation is underway,” Knott said. “Organizations that wait for confirmation of active exploitation before patching will consistently find themselves reacting too late.”
Facts Only
Palo Alto Networks disclosed CVE-2026-0257 on May 13, initially rating it medium severity.
Rapid7 confirmed active exploitation of the vulnerability on May 17.
CISA added CVE-2026-0257 to its known exploited vulnerabilities catalog on May 17.
The vulnerability allows remote attackers to bypass authentication and establish VPN connections.
Affected systems include Palo Alto Networks firewalls with GlobalProtect portal or gateway configured for authentication override cookies.
Exploitation requires the reuse of a certificate’s public key, exposing it to attackers.
A second wave of attacks occurred on May 21, with multiple victims reported.
Palo Alto Networks urged customers to apply patches or mitigations immediately.
The company discovered the vulnerability internally using AI tools.
Attackers are described as highly opportunistic, targeting medium-severity vulnerabilities.
No specific threat groups have been attributed to the exploitation.
Executive Summary
Full Take
This incident underscores a recurring pattern in cybersecurity: the rapid weaponization of vulnerabilities that initially appear less severe. The initial medium-severity rating of CVE-2026-0257 likely contributed to delayed responses, as organizations often prioritize critical vulnerabilities. The attackers' focus on opportunistic initial access rather than long-term espionage suggests a shift toward exploiting low-hanging fruit—vulnerabilities that are easy to exploit but may be overlooked due to their perceived lower risk. This aligns with a broader trend of threat actors targeting network edge devices, which serve as gatekeepers to organizational networks.
The vulnerability’s simplicity—requiring only a forged authentication cookie derived from a publicly available TLS certificate—highlights a systemic issue: the assumption that medium-severity flaws are less urgent. The rapid reassessment from medium to critical severity after exploitation began reveals a gap in threat modeling, where initial risk assessments may not account for the ingenuity of attackers. The use of AI tools by Palo Alto Networks to discover the flaw internally is notable, but the subsequent exploitation demonstrates that even advanced detection methods cannot guarantee timely mitigation.
**Bridge Questions:**
How can organizations better prioritize vulnerabilities that may seem medium-severity but have high exploitation potential?
What role should AI-driven vulnerability discovery play in shifting the balance between proactive defense and reactive patching?
If attackers are increasingly targeting "blind spots" like medium-severity flaws, how should cybersecurity frameworks adapt to this tactic?
**Counterstrike Scan:**
A coordinated influence campaign exploiting this narrative might emphasize the failure of AI-driven security tools to prevent exploitation, framing it as a systemic weakness in modern cybersecurity. However, the article does not align with this pattern, as it presents a balanced view of both the vulnerability’s discovery and the subsequent exploitation, without overstating the role of AI or downplaying the severity of the flaw.
**Patterns detected:** None.
Sentinel — Human
The text exhibits clear characteristics of high-quality, investigative cybersecurity journalism, grounded in specific expert commentary and a precise timeline of events.