DEV Community

Security Cyber
Security Cyber

Posted on

CVE-2026-0257: Rapid7 Caught Attackers Abusing Forged VPN Cookies Against Multiple Customers

#cybersecurity #infosec #general

CVE-2026-0257: Rapid7 Caught Attackers Abusing Forged VPN Cookies Against Multiple Customers

A new vulnerability has landed and it deserves attention. CVE-2026-0257: Palo Alto Networks addressed the vulnerability CVE-2026-0257 on May 13. Two weeks later, cybersecurity firm Rapid7 confirmed active exploitation across multiple customer environments. The flaw impacts the GlobalProtect portal and gateway components of Palo Alto Networks PAN-OS and allows attackers to bypass authentication and establish unauthorized VPN connections. The vulnerabilities do not affect Panorama or Cloud NGFW deployments. “Authentication bypass vulnerabilities in the GlobalProtect...

The Details

Here is what we know: A second wave hit on May 21, this time from Dromatics Systems, using the hostname “DESKTOP-GP01” and the same spoofed MAC address. The consistent MAC address across both waves is what led Rapid7 to assess that a single threat actor was behind both campaigns..

“Rapid7 MDR identified successful exploitation across numerous customers, however we did not observe any indication of successful lateral movement from the devices.” states Rapid7. “The earliest date for observed exploitation was May 17, 2026”.

And perhaps most importantly: Palo Alto initially rated this flaw as medium severity because it requires a specific configuration to be exploitable. Rapid7 disagreed from the start. An authentication bypass on an internet-facing enterprise VPN appliance, where a successful exploit lands an attacker directly inside your network, is not a medium-severity problem regardless of what the CVSS calculator says..

Tracked formally as CVE-2026-0257 -- meaning it has a full entry in the National Vulnerability Database with analysis and references available.

Why This Should Be On Your Radar

This is not a theoretical risk. It is a formally tracked vulnerability with a CVE ID, meaning security teams worldwide will be looking for it in their environments. The question is not whether it will be targeted -- it is when.

What To Do

  1. Check whether your environment uses any of the affected components. 2. Look up CVE-2026-0257 in the NVD for CVSS scoring and affected versions. 3. Brief your team or update your threat model accordingly. 4. Share this with your network -- the more defenders who know, the harder it is for attackers.

Full story: https://securityaffairs.com/192933/security/cve-2026-0257-rapid7-caught-attackers-abusing-forged-vpn-cookies-against-multiple-customers.html

What is your take? Are you affected? Drop your thoughts below.

More at https://securitycyber.uk
Mastodon: https://infosec.exchange/@securitycyber
LinkedIn: https://www.linkedin.com/in/charlie-collins-sec
Bluesky: https://bsky.app/profile/securitycyberuk.bsky.social
Substack: https://securitycyber.substack.com
Discord: https://discord.gg/securitycyber

Recommended resources to go deeper: https://www.hackthebox.com for hands-on practice, https://portswigger.net/web-security for free web security labs, and https://academy.tcm-sec.com for structured courses.

Originally published at https://securitycyber.uk

Top comments (0)