A couple of weeks ago, Palo Alto Networks released an advisory regarding an authentication bypass vulnerability in its PAN-OS platform – just a handful of days later, on 17 May, it was already being exploited.
As of 29 May, the United States Cybersecurity and Critical Infrastructure Security Agency added the vulnerability – CVE-2026-0257 – to its Known Exploited Vulnerabilities Catalog.
Analysts at cyber security firm Rapid7 have been tracking the activity, and while they have seen exploitation impacting several customers, as of a couple of days ago, they had yet to see this activity transition to lateral movement.
But that doesn’t mean it won’t happen eventually.
“While the assigned CVSSv4 score indicates a medium severity, due to the circumstances surrounding this vulnerability, Rapid7 urges that organisations treat this as a critical vulnerability,” Rapid7 said in a 30 May blog post.
“An authentication bypass in an edge-facing enterprise VPN appliance can have significant impact to affected organisations. As such, organisations running affected appliances are urged to upgrade to a vendor-supplied patch on an urgent basis.”
You can see which versions of PAN-OS, and which releases of those versions, are impacted by CVE-2026-0257 here.
An example of the activity that Rapid7 is observing took place on 18 May, when its MDR platform picked up a “Suspicious VPN Authentication - Local Account Logon via Generic Non-Human Identity” alert. In this case, cookie authentication sent to multiple customers came from the same hosting provider, Vultr.
“Rapid7 MDR observed a second wave of exploitation on May 21st. Due to the consistent MAC address, Rapid7 believes both waves of exploitation are likely from the same threat actor (TA),” Rapid7 said.
“However, the second wave of compromises originated from the hosting provider, Dromatics Systems. In this wave of exploitation, Rapid7 observed VPN IP assignment following the cookie authentication, granting them access to the internal network.”
Aside from updating to a patched version, Palo Alto Networks recommends either using a dedicated certificate for Authentication Override cookies or disabling Authentication Override entirely.
Jake Knott, principal security researcher at cyber security company watchTowr, told Cyber Daily the PAN-OS vulnerability was “yet another authentication bypass on a device whose sole job is to guard the front door to an organisation’s network”.
However, what alarms Knott the most is just how simple it is to exploit.
“An attacker can forge a valid authentication cookie using nothing more than the appliance’s publicly available TLS certificate. The entire exploit is a single HTTP request,” Knott said.
“While successful exploitation does require a specific configuration, public reporting is already showing that this misconfiguration and practice appear to be more widespread than initially thought.
“When first disclosed, the prevailing assumption was that very few real-world deployments would meet the prerequisites for exploitation. Two weeks later, attackers proved that assumption wrong.”
According to Knott, this is a familiar pattern – urgent patch only happens once exploitation has been confirmed – any organisation waiting this long is already reacting too late.
“The lesson here remains unchanged: a patching strategy built around scheduled change windows cannot defend devices that are being targeted within hours or days of disclosure,” Knott said.
“Organisations need strategies to match the speed of the threat, and not the speed of their change management process.”
Want to see more stories from trusted news sources?Make Cyber Daily a preferred news source on Google.
David Hollingworth
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.