Rapid7 observes new Palo Alto VPN flaw exploited in the wild to bypass GlobalProtect authentication

1. Pro
2. Security

Rapid7 observes new Palo Alto VPN flaw exploited in the wild to bypass GlobalProtect authentication News By Sead Fadilpašić published 2 June 2026

A flaw fixed last month is now being used in real-life attacks

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

(Image credit: Getty Images)

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads
• Email

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter

• Critical PAN‑OS flaw exploited in the wild
• Authentication bypass enables unauthorized VPN access
• CISA added CVE‑2026‑0257 to KEV catalog

A recently discovered vulnerability in PAN-OS, the operating system powering Palo Alto’s firewalls, is being actively exploited in the wild, researchers are saying, urging customers to apply the provided patch as soon as possible.

In mid-May this year, Palo Alto disclosed an authentication bypass flaw in the Global Protect portal and gateway that allows threat actors to work around security restrictions and establish an unauthorized VPN connection. The bug is now tracked as CVE-2026-0257, and assigned a severity score of 9.1/10 (critical).

Earlier this week, security researchers Rapid7 said they saw threat actors successfully leveraging this bug in attacks: “Rapid7 MDR identified successful exploitation across numerous customers, however we did not observe any indication of successful lateral movement from the devices,” Rapid7 said in its report. “The earliest date for observed exploitation was May 17, 2026. As of May 29, 2026, this vulnerability has been added to the CISA KEV.”

Latest Videos FromWatch full video here: You may like

• Palo Alto warns of critical firewall flaw, tells users a patch is on the way
• Fortinet patches FortiGate Firewall vulnerabilities that allowed hackers to steal enterprise credentials
• This Wing FTP Server flaw is being actively exploited in attacks – CISA says mitigate now

Added to CISA's KEV

The news also prompted the US Cybersecurity and Infrastructure Security Agency (CISA) to add the bug to its Known Exploited Vulnerabilities (KEV) catalog, giving Federal Civilian Executive Branch (FCEB) agencies a deadline to patch up or stop using PAN-OS-powered devices entirely.

Initially, the bug was given a medium-severity score, but since it escalated into real-life attacks, the rating has been elevated as well:

"Palo Alto Networks has become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied," the company said.

Different versions of PAN-OS are affected: 12.1 versions earlier than 12.1.4-h6 or 12.1.7, 11.2 versions earlier than 11.2.4-h17, 11.2.7-h14, 11.2.10-h7, or 11.2.12, 11.1 versions earlier than 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, or 11.1.15, and 10.2 versions earlier than 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, or 10.2.18-h6.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsBy submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

Prisma Access 10.2 and 11.2 deployments running vulnerable releases are also vulnerable. Palo Alto issued a staggered patch schedule starting May 15, 2026, with additional updates rolling out through May 28–29, 2026 depending on the PAN-OS version.

Via The Register

The best antivirus for all budgetsOur top picks, based on real-world testing and comparisons

➡️ Read our full guide to the best antivirus1. Best overall:Bitdefender Total Security2. Best for families:Norton 360 with LifeLock3. Best for mobile:McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

CATEGORIES Cyber Security Computing Security Computing Sead FadilpašićSocial Links Navigation

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

View More

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.

Logout Read more Security Palo Alto warns of critical firewall flaw, tells users a patch is on the way    Security Fortinet patches FortiGate Firewall vulnerabilities that allowed hackers to steal enterprise credentials    Security This Wing FTP Server flaw is being actively exploited in attacks – CISA says mitigate now    Security Trend Micro users beware - dangerous Apex One zero-day exploited in the wild    Security Critical Citrix NetScaler flaw gets official patch warning from CISA    VPN Privacy & Security GrapheneOS patches an Android VPN bypass that Google decided to leave alone    Latest in Security Security Compromised Red Hat npm packages downloaded over 80,000 times in one week – supply chain attack still ongoing    Security Ransomware groups grow revenue by almost 40% in Q1 2026    Security Over 5,000 malicious domains targeting 2026 US Midterm elections spotted going live – and they could be used for fraud, phishing, or worse    Security Thousands of compromised websites abused by DriveSurge in active ClickFix and FakeUpdates campaigns    Security OpenAI Codex tool with over 29,000 downloads linked to malicious npm supply chain attack stealing authentication tokens    Security Multiple Linux distros hit by major 'CIFSwitch' flaw that gives attackers root access    Latest in News Pro Microsoft’s Project Solara looks to break AI out of the PC and into the real world    Pro Microsoft CEO Satya Nadella looks to allay fears over data center energy and water use    Pro “AI is now useful”: Nvidia CEO Jensen Huang thinks a new era for AI is here    Pro How a former Facebook whistleblower is being silenced 'regardless of whether what she says is true'    Health & Fitness Want a Runna membership for free? All you have to do to get 2 weeks free is log a 5k on Strava on June 3    VPN Services Decentralized NymVPN rolls out post-quantum protections as standard alongside a massive redesign    LATEST ARTICLES

1. 1Rivian's boss says Level 4 autonomous driving is "closer than people think"
2. 2'Stop duct-taping human email into machine workflows' — Hostinger unleashes Agentic Mail to fix the biggest bottleneck in AI automation
3. 3Microsoft CEO Satya Nadella looks to allay fears over data center energy and water use
4. 4Quordle hints and answers for Wednesday, June 3 (game #1591)
5. 5NYT Connections hints and answers for Wednesday, June 3 (game #1088)