Computer Works Computer Works
Call
Cybersecurity

Hackers Are Forging VPN Cookies to Break Into Business Networks — What Palo Alto GlobalProtect Users Must Do Now

CVE-2026-0257 lets attackers fake VPN credentials without a password and walk straight into your business network. Rapid7 confirmed active exploitation across multiple customers. Here's what it means and exactly what to do.

Hackers Are Forging VPN Cookies to Break Into Business Networks — What Palo Alto GlobalProtect Users Must Do Now

If your business uses Palo Alto's GlobalProtect VPN, this is one of those posts you need to read before you do anything else today.

A vulnerability called CVE-2026-0257 has been confirmed under active attack. The flaw lets a hacker log into your VPN — and potentially your internal business network — without knowing anyone's password. No credentials required. And according to cybersecurity firm Rapid7, it's already been used successfully against multiple real organizations.

Here's everything you need to understand, and exactly what to do.

What Is GlobalProtect and Why Does This Matter?

GlobalProtect is Palo Alto Networks' VPN solution — the software that lets employees securely connect to the office network from home, the road, or anywhere else. A huge number of businesses, including many small and mid-sized companies, rely on it for secure remote access.

The problem? When a VPN system gets compromised, it's not just one device that's at risk. It's a direct door into your entire internal network — your files, your servers, your customer data, everything.

What's the Actual Vulnerability?

The technical name for what's happening here is an authentication bypass. Normally, when someone connects to GlobalProtect, the system checks their identity before granting access. CVE-2026-0257 breaks that check entirely.

Here's how Security Affairs explains the underlying problem: when a device is misconfigured so that the same certificate is used for both the HTTPS service and cookie encryption — which turns out to be a common misconfiguration — an attacker can grab the public key directly from the HTTPS session. With that key, they can craft a fake authentication cookie for any user, including the local admin account, and the device will accept it as completely legitimate.

Rapid7 researchers found that the GlobalProtect code "decrypts the incoming cookie and then trusts the decrypted content implicitly, with no signature verification of any kind occurring after decryption." In other words, the lock accepts a key it shouldn't, and there's no second check to catch the forgery.

Rapid7 even built a proof-of-concept script that automates the entire attack: retrieve the certificate, forge the cookie, test it. According to Security Affairs, the whole sequence takes seconds against a vulnerable appliance.

Two Waves of Real Attacks — Already Confirmed

This isn't theoretical. Rapid7's managed detection and response team caught attackers in the act.

  • Wave 1: Detected on May 18, 2026 at 01:51 UTC, originating from infrastructure hosted by Vultr. Attackers used the hostname "GP-CLIENT" on a Linux system with a spoofed MAC address of aa:bb:cc:dd:ee:ff.
  • Wave 2: Hit on May 21, 2026, this time from a provider called Dromatics Systems, using the hostname "DESKTOP-GP01" — and the same spoofed MAC address.

That identical spoofed MAC address is what led Rapid7 to conclude both waves came from the same threat actor. In the second wave, some victims received a VPN IP assignment after the forged cookie was accepted — meaning the attacker successfully gained access to the internal network.

The earliest confirmed exploitation date was May 17, 2026, four days after Palo Alto issued its patch.

Palo Alto Networks itself confirmed the attacks in an advisory update on May 29, acknowledging "limited exploit attempts on unpatched PAN-OS devices without mitigations applied."

Is Your Business Affected? Here's How to Check

You're only exposed if all three of these conditions are true for your setup:

  1. You're running Palo Alto Networks PAN-OS with GlobalProtect portal or gateway configured
  2. Authentication override cookies are enabled
  3. The same certificate is used for both the HTTPS service and the cookie encryption feature

If your setup doesn't match all three criteria, you're not exposed by this specific flaw. But if you're unsure — and most non-technical business owners will be — this is exactly the moment to get an IT professional to verify your configuration. Rapid7 has published a public proof-of-concept script on GitHub that organizations can use to test whether their appliances are vulnerable.

Note that this vulnerability does not affect Panorama or Cloud NGFW deployments.

What to Do Right Now

Palo Alto issued a patch on May 13, 2026. If you haven't applied it, that's your first priority. Here's the priority order:

  1. Patch immediately — Upgrade to a patched PAN-OS version. The Hacker News notes Rapid7 is urging organizations to treat this as urgent.
  2. Can't patch right now? As a temporary mitigation, either:
    • Disable the authentication override feature entirely, or
    • Generate a new, dedicated certificate used only for cookie encryption — not shared with the HTTPS service
  3. Check your logs for these indicators of compromise: logins from the hostname "GP-CLIENT" or "DESKTOP-GP01," the spoofed MAC address aa:bb:cc:dd:ee:ff, or authentication events from Vultr or Dromatics Systems infrastructure
  4. Check CISA's deadline — The U.S. Cybersecurity and Infrastructure Security Agency has added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog and ordered federal agencies to mitigate by June 1, 2026. If the federal government is treating this as an emergency, private businesses should too

A Word on Severity Ratings

Palo Alto initially rated this vulnerability as medium severity — a CVSS score of 7.8 — because it requires a specific configuration to be exploitable. Rapid7 pushed back on that framing from the start, and it's hard to disagree with them.

As Security Affairs put it: an authentication bypass on an internet-facing enterprise VPN appliance, where a successful exploit lands an attacker directly inside your network, is not a medium-severity problem regardless of what the CVSS calculator says. Real-world exploitation across multiple organizations tends to settle that debate quickly.

The Bottom Line for Yuba City Businesses

If your business runs Palo Alto GlobalProtect and you haven't patched since May 13, assume you may be at risk. The attack is fast, the proof-of-concept is public, and confirmed victims are already out there.

Check your configuration, apply the patch, and audit your logs for the indicators listed above. If you manage your own network infrastructure and want a second set of eyes on your VPN configuration, our team at Computer Works is happy to help — feel free to reach out or stop by.

And if you're a local business that doesn't yet have a proactive IT monitoring setup, now is a good time to think about one. Our /business page has more on how we support small business IT in the area.

Update: As of the publishing of this post, CISA has added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog. The June 1 remediation deadline for federal agencies has passed, but the risk to private businesses remains active until patched.

Recommended
Proton VPN
Proton VPN
Protect your browsing
Proton Mail
Proton Mail
Encrypted email
Related local service
Worried this could be malware?
If your computer has pop-ups, redirects, suspicious downloads, or ransomware warnings, start with our local virus removal page.
Call Us View virus removal
Tags
cybersecurity vulnerability patch-management small-business-it web-security
← Back to all posts