The hottest vulnerability in the security world right now is CVE-2026-0257 (CVSS 7.8), an authentication bypass in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS. It lets a remote, unauthenticated attacker bypass security restrictions and establish an unauthorized VPN connection, plainly put, knock open the corporate front door with no username or password.
1. The Root Cause
The root cause is as classic as it is cautionary: the firewall relies on cookies but does not perform thorough validation and integrity checking. The flaw lives in a non-default feature called authentication override, which lets GlobalProtect portals and gateways issue session cookies to authenticated users. The vulnerability triggers when the certificate used to encrypt and decrypt those cookies is shared with another feature.
2. The Timeline
Rapid7 first observed exploitation in the wild on May 17, just days after public disclosure. The earliest attacks came from Vultr-hosted IPs; on May 18, multiple customer environments detected suspicious cookie-based authentication using the machine name GP-CLIENT with a spoofed MAC address, and a second wave appeared May 21. CISA added it to the Known Exploited Vulnerabilities (KEV) catalog on May 29. The attackers main goal appears to be initial access, for later lateral movement or resale. Remediation is clear: upgrade to a fixed version immediately, or temporarily disable authentication override, or generate a dedicated certificate exclusively for it.
My Take
This one belongs in every web and systems builder notebook because the root cause is not some exotic 0-day, it is trusting something that should not be trusted unconditionally: a cookie that was not fully validated and whose certificate was shared across features. The lesson maps straight onto web development. Laravel sessions and API tokens must be bound to signature and integrity checks (signed, expiring, purpose-isolated); keys and certificates for different purposes must be separated, never shared for convenience. On the Nginx front, handle TLS termination properly, restrict admin-interface source IPs, and treat externally exposed auth entry points like VPNs and admin panels as your highest-risk surface to monitor. Most important is patch cadence: only days passed from disclosure to in-the-wild exploitation, so we will fix it next maintenance window no longer holds. Wiring the CISA KEV list into your vulnerability management, so actively exploited flaws auto-jump to top priority, is one of the highest-ROI defensive moves available today.
Sources
- PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257) Under Active Exploitation — The Hacker News
- Rapid7 Observed Exploitation of CVE-2026-0257 — Rapid7
- Hackers are exploiting Palo Alto GlobalProtect VPN authentication bypass — Help Net Security
- Palo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks — BleepingComputer