Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

PAN-OS GlobalProtect CVE-2026-0257 exploitation wave

Exploitation Wave
First reported
Last updated
Happening score
H score 44
1 unique sources, 1 articles

Summary

Hide ▲

A CVE-2026-0257 exploitation wave is hitting Palo Alto Networks PAN-OS GlobalProtect appliances, creating unauthorized VPN access risk for multiple customers. Rapid7 said the activity came in two waves starting May 18 and May 21, likely from the same actor, and it observed successful exploitation via forged cookies. CISA added the flaw to the KEV Catalog, and federal civilian agencies must patch by June 1.

Related Happenings

PAN-OS / Prisma Access GlobalProtect authentication bypass (CVE-2026-0257, actively exploited)

Vulnerability
First: 30.05.2026 09:41 Last: 30.05.2026 09:41 Sources 1

How related: CVE-2026-0257 is an authentication bypass vulnerability in the GlobalProtect portal and gateway of Palo Alto Networks’ PAN-OS software.

About this happening: **PAN-OS** and **Prisma Access** are affected by **CVE-2026-0257**, an **authentication bypass** in the **GlobalProtect portal and gateway** that can let attackers establish an **...

Open Happening

Cisco Catalyst SD-WAN authentication bypass flaw actively exploited (CVE-2026-20182)

Vulnerability
First: 14.05.2026 23:09 Last: 14.05.2026 23:09 Sources 1

About this happening: **CVE-2026-20182** is an actively exploited **authentication bypass** in **Cisco Catalyst SD-WAN Controller** and **Cisco Catalyst SD-WAN Manager**, creating a path to **administr...

Latest development: 14.05.2026 23:25

Cisco released a patch for CVE-2026-20182, giving organizations using Cisco Catalyst SD-WAN Controllers a way to block the authentication bypass before UAT-8616 can continue using it for administrative access, SSH key insertion, NETCONF changes, and root escalation.

Open Happening

CISA KEV directive for CVE-2026-20133

Public Sector Action
First: 21.04.2026 15:30 Last: 21.04.2026 15:30 Sources 1

About this happening: On **Monday, April 21, 2026**, **CISA** added **CVE-2026-20133** to the **KEV Catalog** and ordered **FCEB agencies** to secure their networks by **Friday, April 24**. The directi...

Open Happening

Cisco security patch release for CVE-2026-20184

Security Patch Release
First: 16.04.2026 14:27 Last: 16.04.2026 14:27 Sources 1

About this happening: **Cisco** released patches for **four critical flaws** affecting **Identity Services Engine (ISE)**, **ISE-PIC**, and **Webex Services**, closing paths to **arbitrary code executi...

Open Happening

CISA urgent mitigation order for Cisco FMC CVE-2026-20131

Advisory/Mitigation
First: 23.03.2026 12:30 Last: 23.03.2026 12:30 Sources 1

About this happening: **CISA** ordered **federal civilian agencies** to patch **CVE-2026-20131** in **Cisco Secure Firewall Management Center (FMC)** within **three days** or discontinue use if mitigat...

Open Happening

Timeline

  1. 01.06.2026 11:30 1 articles · 8h ago

    Forged-cookie exploitation begins against Palo Alto Networks PAN-OS GlobalProtect

    Exploitation Observed

    Rapid7 said the first exploitation wave against Palo Alto Networks PAN-OS GlobalProtect appliances began on May 18, using authentication probes with forged cookies to bypass the GlobalProtect portal and gateway and gain unauthorized VPN access on affected devices.

    Show sources
    Open in new tab
  2. 01.06.2026 11:30 1 articles · 8h ago

    Second forged-cookie exploitation wave hits Palo Alto Networks PAN-OS GlobalProtect

    Exploitation Observed

    Rapid7 said a second exploitation wave against Palo Alto Networks PAN-OS GlobalProtect appliances began on May 21 and again used forged cookies against the affected GlobalProtect portal and gateway.

    Show sources
    Open in new tab
  3. 01.06.2026 11:30 2 articles · 8h ago

    Palo Alto Networks warns of active CVE-2026-0257 exploitation and CISA adds it to KEV

    Initial Disclosure

    Palo Alto Networks said it had become aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied after publishing the update on May 13, while Rapid7 said CVE-2026-0257 had been exploited in two waves across multiple customers, with VPN IP assignment following cookie authentication and 8 out of 10 impacted MDR customers accepting the cookie without a full VPN session. CISA added CVE-2026-0257 to the Known Exploited Vulnerabilities Catalog and required federal civilian agencies to patch it by June 1.

    Show sources
    Open in new tab