The Register reported today that CVE-2026-0257, an authentication bypass in Palo Alto's GlobalProtect, has moved from a quiet medium-severity advisory to confirmed exploitation in the wild. Rapid7 traced successful attacks back to at least May 17 and reproduced the technique themselves. The flaw now sits in CISA's Known Exploited Vulnerabilities catalog with a same-day patch deadline for federal agencies.
The mechanics are worth reading closely. PAN-OS trusts authentication override cookies, and in deployments where the same certificate signs both HTTPS services and those cookies, an attacker has everything needed to mint a cookie the firewall will accept as genuine. Present the forged cookie, and the gateway hands you a VPN session. No stolen password, no phished MFA token. You are simply on the inside.
This is the second emergency for the same product family in under a month. In May, state-backed attackers were exploiting CVE-2026-0300, a remote code execution bug in the PAN-OS User-ID portal, before patches were broadly available. Two different bugs, same outcome: the appliance that guards the network became the way into it.
It would be easy to file this under "patch faster" and move on. The deeper issue is that a VPN concentrator makes one trust decision at one moment in time, and that decision controls reachability to an entire network segment. Authenticate once at the edge, and you inherit IP-level access to whatever lives behind the gateway. The credential check happens at the door, and nothing re-checks you once you are walking the halls.
That design turns the gateway into a high-value, internet-facing target with a large attack surface. It terminates TLS, parses authentication material, manages sessions, and brokers network routes, all in one box exposed to the public internet. A single flaw in any of those functions, like a cookie the firewall trusts too readily, collapses the distinction between authenticated and anonymous. Once an attacker has a session, lateral movement is a question of what the network exposes, not whether they are allowed to look. Rapid7 noted they did not observe lateral movement in the cases they investigated, but that was the attackers' restraint, not the architecture's.
Pomerium takes the opposite position. It is an identity-aware reverse proxy that sits in front of each application rather than in front of a network. There is no network to land on, because access is never granted at the network layer. A client reaches a specific upstream service only when a specific request satisfies policy, and that evaluation happens on every request, following the NIST 800-207 zero trust model.
Each request is checked against identity from your IdP, device posture, and the surrounding context, not a one-time login at a perimeter. A session that looked valid a minute ago still has to clear policy for the next call, and that policy can weigh signals a forged cookie cannot satisfy on its own. Access is scoped to one application at a time, so a compromised credential reaches the single resource its policy permits and nothing adjacent to it. The reverse proxy is self-hosted, so the contextual data driving those decisions never leaves your infrastructure.
Map that back to CVE-2026-0257. The attack succeeded because forging one trusted token unlocked a network. Removing the network from the equation removes the prize. A bypassed session in a per-request authorization model yields access to a single brokered service under continuous evaluation, not a foothold to pivot from. The blast radius shrinks from "the corporate LAN" to "one application, for one request, if policy allows."
No proxy is immune to bugs, and Pomerium ships patches like anyone else. The point is where you place your trust. Concentrating it in one internet-facing box that grants network reachability means every flaw in that box is a network breach. Distributing it across continuous, per-request, application-scoped decisions means a flaw is contained by design. GlobalProtect users are patching today. The better question is why a single authentication event should ever have been enough to get inside.
Pomerium is an open source, identity and context-aware access proxy built on zero trust principles. Get started with Pomerium Zero for free.
Stay up to date with Pomerium news and announcements.
Embrace Seamless Resource Access, Robust Zero Trust Integration, and Streamlined Compliance with Our App.
Use Cases
Quicklinks
Stay Connected
Stay up to date with Pomerium news and announcements.
