Cybersecurity June 1, 2026 · 3 min read

Palo Alto GlobalProtect VPN Was Trusting Forged Cookies Without Checking the Signature — The CISA Deadline Is Today and Your Perimeter Just Filed Its Second Incident Report This Year

🤚 The Open-Palm Advisory

Palo Alto Networks has confirmed that CVE-2026-0257, an authentication bypass in its GlobalProtect VPN, is being actively exploited in the wild. The vulnerability — initially rated Medium severity before someone noticed it was, you know, being used by attackers — has been upgraded to High severity and added to CISA’s Known Exploited Vulnerabilities catalog on May 29.

The federal mitigation deadline? Today. June 1, 2026. If you’re reading this and you haven’t patched, congratulations: you are now operating outside the timeline that the United States government considers acceptable.

Rapid7 MDR first identified exploitation on May 17, with two distinct attack waves detected:

  • May 18: Infrastructure hosted by Vultr
  • May 21: Origin traced to Dromatics Systems

Rapid7 reports “successful exploitation across numerous customers” — a phrase that should make your CISO’s eye twitch involuntarily.

👐 The Two-Handed Cookie Forgery

The vulnerability is a masterclass in why certificate reuse is the IT equivalent of using your house key as a bookmark in a library book.

Here’s how it works: GlobalProtect uses authentication override cookies to maintain VPN sessions. The device decrypts these cookies using a configured private key — so far, so reasonable. The problem? It trusts the decrypted contents without performing any signature verification.

When organizations reuse the same certificate for both HTTPS and authentication override cookies (which is, apparently, common enough to constitute a vulnerability class), an attacker can:

  1. Extract the public key via a normal HTTPS connection
  2. Forge a valid authentication override cookie
  3. Target the local administrator account
  4. Present the forged cookie to GlobalProtect
  5. Receive a warm, unsuspecting welcome

The silver lining — if you can call it that — is that Rapid7 observed no successful lateral movement from compromised devices. In many cases, even though the appliance accepted the forged cookie, attackers couldn’t establish a full VPN session. Your security appliance got tricked at the door but didn’t let the intruder past the lobby. Progress.

🌿 The Gentle Awakening

There is a special category of vulnerability that emerges when a security product says “I’ll just trust myself” and then discovers that trust was misplaced. Palo Alto Networks — a company whose entire value proposition is “we don’t trust anyone” — shipped a product that trusts unsigned cookie contents because the encryption key was supposed to be secret.

This is the second Palo Alto vulnerability to make headlines this year. In May, their firewalls were found to have been compromised by state-sponsored hackers for over a month. Your perimeter defense is having a performance review, and the feedback is not constructive.

👑 The Gold-Leaf Mitigation

The fix is available. Palo Alto released patches earlier in May. But if you can’t patch immediately, your options are:

  • Disable the authentication override feature entirely — the nuclear option, but at least it’s honest
  • Use a separate certificate for authentication override — not shared with HTTPS services
  • Pray — not recommended by CISA, but statistically popular

The real lesson here is that certificate reuse continues to be the gift that keeps on giving — to attackers. Every time an organization decides “one certificate is enough,” they are gambling that the thing protecting the front door isn’t also the thing an attacker can study from the sidewalk. Today, that gamble lost.

“The VPN said ‘come in,’ the cookie said ‘I’m admin,’ and nobody checked with each other. Enterprise security is just a series of locked doors that all share a key under the same mat.” — The Slap of Wisdom Zero Trust Department, which has now been renamed the Aspirational Trust Department