Overview
- Security firm Rapid7 detected two waves of real-world exploitation in mid-May, with initial activity beginning May 17–18 and a second surge on May 21.
- The flaw, tracked as CVE-2026-0257, lets an attacker read a reused HTTPS certificate’s public key and craft a valid authentication cookie that an appliance will accept without credentials.
- Palo Alto released patches on May 13 for PAN-OS and Prisma Access and advised customers to update immediately or use mitigations such as disabling authentication override or issuing a dedicated cookie certificate.
- CISA added the vulnerability to its Known Exploited Vulnerabilities catalog and ordered federal civilian agencies to remediate by June 1; Rapid7 also published proof-of-concept code and indicators of compromise to help defenders hunt for intrusions.
- Observed exploitation sometimes resulted in attackers receiving VPN IP assignments and internal access but defenders have not yet seen confirmed lateral movement, leaving the full scope dependent on specific GlobalProtect configurations and prompting urgent risk action for operators and staff.