TL;DR: CVE-2026-0257 is a Palo Alto Networks PAN-OS GlobalProtect authentication bypass (CVSS 7.8) disclosed on May 13, 2026 and under active exploitation since May 17, 2026. CISA added it to the Known Exploited Vulnerabilities catalog on May 29, 2026, with a federal mitigation deadline of June 1, 2026. For NC small businesses that use GlobalProtect for remote access, the action items are simple and time-sensitive: patch PAN-OS now, audit the authentication override feature, rotate any shared certificates, and hunt for cookie-based unauthorized VPN sessions.
Key takeaway: When attackers can mint your own VPN session cookies, "we use a name-brand firewall" is not a defense. You need patched edge appliances, isolated certificates, MFA on the management plane, and behavior-based detection looking for impossible VPN logins.
Run GlobalProtect or Prisma Access? Preferred Data Corporation can verify your PAN-OS version, harden authentication, and hunt for unauthorized sessions the same day. Call (336) 886-3282 or request an emergency Palo Alto review.
What is CVE-2026-0257 and why is it critical?
CVE-2026-0257 is an authentication bypass in PAN-OS GlobalProtect and Prisma Access that lets an attacker establish an unauthorized VPN connection without valid credentials. The CVSS score is 7.8 (high). The flaw lives in the non-default "authentication override" feature, which issues session cookies to authenticated users so they do not have to re-login on every connection. When the certificate used to encrypt and decrypt those override cookies is shared with another service (for example the HTTPS service on the same appliance), an attacker can forge or replay cookies and walk in as a trusted user. The Hacker News and Rapid7 both documented active exploitation in May 2026.
Three facts make this a top-priority issue for SMBs:
- No credential required. A crafted request that supplies a forged or replayed cookie is enough to be treated as authenticated.
- High blast radius. A successful bypass yields a real VPN session, which can be used to scan, pivot, deploy ransomware, or exfiltrate data exactly like a legitimate remote user.
- Confirmed in CISA KEV. CISA added CVE-2026-0257 to the Known Exploited Vulnerabilities catalog on May 29, 2026, with a federal patching deadline of June 1, 2026. Cyber insurers increasingly treat missed KEV entries as a denial trigger at renewal.
For NC small businesses that rely on GlobalProtect for remote employees, branch sites, manufacturing plants, or contractor access, this is a do-it-today issue, not a sprint backlog item.
How are attackers using CVE-2026-0257 right now?
Attackers are minting their own VPN sessions. According to Rapid7's emergent threat response and The Hacker News, the earliest in-the-wild exploitation was identified on May 17, 2026, with suspicious cookie-based authentication to local admin accounts detected on May 18. A second wave on May 21, 2026 originated from the hosting provider Dromatics Systems, with some victims actually being assigned full VPN IP addresses after cookie authentication succeeded, per GBHackers.
| Attack stage | What it looks like | Why it matters for SMBs |
|---|---|---|
| Initial access | Crafted request to GlobalProtect portal/gateway | No phishing or credential theft required |
| Authentication | Forged or replayed session cookie accepted | Bypasses MFA on the portal |
| Session establishment | Real VPN IP assigned to attacker | Treated as a trusted internal user |
| Goal | Lateral movement, data theft, ransomware | Edge breach becomes interior breach |
The pattern matters because the attacker traffic looks like normal VPN traffic. Without behavior-based detection inside the network, the only visible signal can be the "impossible login" pattern (admin account from a new geography, off hours, or via an unusual hosting provider).
Who is at risk and what is the SMB exposure?
Any NC small business running an internet-exposed GlobalProtect portal or gateway, or Prisma Access, is in the immediate blast zone if the authentication override feature is enabled and the certificate is shared with another service. Per the Palo Alto Networks security advisory and Help Net Security coverage, Palo Alto initially disclosed the issue on May 13, 2026, with patched PAN-OS releases available across the supported version trains.
The SMB-specific exposure stacks:
- Remote workforce equals high exposure. Any SMB that grew remote or hybrid access since 2020 is likely running GlobalProtect for staff or vendors. The internet-facing footprint is exactly where attackers scan first.
- Lateral movement at scale. A real VPN session is the most valuable single foothold an attacker can buy. From there, ransomware operators routinely escalate to domain admin in hours, not days, per the 2026 Verizon DBIR.
- Insurance and CMMC exposure. Cyber insurers and DoD CMMC reviewers expect documented patching of CISA KEV entries inside the published deadlines, and a missed entry is a common claim-denial trigger.
- Regional impact. Many Piedmont Triad and Charlotte-area manufacturers, professional firms, and defense suppliers standardized on Palo Alto Networks for the price/performance and CMMC readiness story. The regional exposure is meaningful, not theoretical.
Quotable definition: CVE-2026-0257 is a high-severity authentication bypass in Palo Alto Networks PAN-OS GlobalProtect that allows attackers to establish unauthorized VPN sessions by abusing session cookies issued under the authentication override feature when the signing certificate is shared with another service.
What should an NC small business do this week?
Treat this as an emergency change with a five-step playbook, in order. Most NC SMBs can complete the high-risk steps in a single business day.
- Patch PAN-OS to the fixed version. Apply the fix per the Palo Alto Networks security advisory for your version train. Verify the running version after the change, not just that the update ran.
- Audit the authentication override feature. If you do not need it, disable it. If you do need it, ensure the signing certificate is dedicated and not shared with the HTTPS service or any other function on the appliance.
- Rotate any shared certificates. Replace and reissue, then invalidate every active session so any forged cookie becomes worthless.
- Hunt for compromise before declaring success. Look for VPN sessions assigned to unexpected user accounts, sessions originating from unfamiliar hosting providers (for example Vultr or Dromatics Systems addresses, per Rapid7), and admin-level VPN logins from new geographies or off-hours.
- Enforce MFA on the management plane and segment the firewall. No admin should manage PAN-OS without MFA, and the management interface should never be reachable from the public internet.
Need this done today, not next sprint? Call (336) 886-3282 or contact Preferred Data Corporation for an emergency Palo Alto review across firewall, VPN, and endpoint.
Why is this a managed security problem, not a patch-once problem?
Because the next CISA KEV entry will arrive before you finish writing the post-mortem on this one. The pattern across 2025-2026 is consistent: vendor edge and remote-access systems (Fortinet, SonicWall, Palo Alto Networks, Citrix, Ivanti, VPN appliances) are now the highest-paying attack surface. The 2026 Verizon Data Breach Investigations Report confirmed vulnerability exploitation has overtaken stolen credentials as the #1 initial access vector at 31% of all breaches, with median remediation time stretching to 43 days per Security Boulevard's analysis of the remediation paradox.
For a Piedmont Triad small business, the math is unforgiving. If exploitation is observed inside four days and the median small business patches in 43, you give the attacker a 39-day window every time. A managed program that patches, hardens, and monitors edge appliances on a 24/7 cycle is a small fraction of an incident-response invoice and is exactly the kind of control cyber insurers now require. Preferred Data Corporation has delivered that managed protection to North Carolina small businesses since 1987, from our High Point headquarters and on-site across the Piedmont Triad, Charlotte, Greensboro, Raleigh, and Winston-Salem.
PDC supports this work through managed cybersecurity, managed IT services, and network and infrastructure.
Frequently Asked Questions
Is CVE-2026-0257 still being exploited?
Yes. Rapid7 and The Hacker News documented two distinct exploitation waves in May 2026, and CISA added the CVE to the Known Exploited Vulnerabilities catalog on May 29, 2026 with a federal mitigation deadline of June 1, 2026. That deadline carries weight beyond the federal civilian branch because cyber insurers and CMMC reviewers also use KEV as a baseline expectation.
We patched, but how do we know we were not already breached?
Hunt for indicators of compromise before declaring victory. The high-value signals are GlobalProtect sessions tied to unexpected accounts, VPN logins from unfamiliar hosting providers (Vultr, Dromatics Systems were observed in the wild), admin sessions from new geographies, and lateral movement consistent with a real interactive user rather than scripted scanning. If you do not have an EDR/MDR product with retrospective hunting and centralized firewall logging, a managed partner can run a targeted compromise assessment in hours, not weeks.
Does MFA on GlobalProtect protect us from CVE-2026-0257?
Not by itself. The bypass works because the appliance accepts a forged or replayed session cookie that represents an already authenticated session, so the MFA step has effectively been "remembered" by the attacker. Patching, disabling or hardening the authentication override feature, and rotating the signing certificate are required. MFA on the management plane remains mandatory and reduces the blast radius of a compromised admin.
How does this affect cyber insurance?
Most 2026 SMB cyber insurance policies require documented patching of CISA KEV entries within published deadlines, EDR/MDR coverage, MFA on management interfaces, and a written incident response plan. CVE-2026-0257 is exactly the kind of issue an underwriter will ask about at renewal, and a missed patch is a common path to a denied claim. Cyber insurance application rejection rates for SMBs have climbed into double digits in 2026 specifically because applicants cannot evidence basic patch governance.
Are we exposed even if our GlobalProtect portal is internal-only?
The exposure is much smaller, but not zero. If any attacker can reach the portal via a separate vulnerable edge appliance, RDP, or phishing-driven access into your network, the same cookie-forgery technique applies. Patch anyway, disable or harden the authentication override feature, restrict the management plane to a trusted admin VLAN, and require MFA for every administrator.
Related Resources
- Managed Cybersecurity Services for NC Businesses - 24/7 monitoring and patch governance
- Managed IT Services for NC Businesses - Patch, harden, monitor, recover
- Network and Infrastructure Services - Edge appliance hardening and segmentation
- SonicWall and Fortinet Firewall Vulnerability Crisis - Edge appliance defense pattern across vendors
- Verizon 2026 DBIR: Vulnerability Exploitation Now #1 - Why patch fatigue is now a top breach driver
- Contact Preferred Data Corporation - Emergency Palo Alto review and remediation