Notifications
Clear all
Topic starter
09/06/2026 11:20 pm
TL;DR: A confirmed exploitation of CVE-2026-0257 in Palo Alto GlobalProtect showed how a forged authentication override cookie can still yield a VPN session and network reachability, with Rapid7 tracing attacks to at least May 17 and CISA adding the flaw to its KEV catalog. The incident reinforces that one-time edge authentication creates a brittle trust model, not durable access control.
NHIMG editorial — based on content published by Pomerium: Another GlobalProtect bypass, another reminder that the VPN is the wrong place to put your trust
By the numbers:
- Rapid7 traced successful attacks back to at least May 17.
- CISA added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog with a same-day patch deadline for federal agencies.
Questions worth separating out
Q: What breaks when VPN access is granted once at the edge and then trusted across the network?
A: A single successful login becomes a standing network foothold.
Q: Why do perimeter VPNs increase lateral movement risk in enterprise networks?
A: Perimeter VPNs often turn identity into network placement, so a valid session can reach many internal resources at once.
A: Look for any architecture where one authentication event unlocks broad internal reachability.
Practitioner guidance
- Inventory every edge-authenticated access path Map which internal services remain reachable only after a single VPN login, then rank them by blast radius.
- Separate signing trust from transport trust Review whether the same certificate or trust root is used for multiple authentication functions.
- Replace network reachability with request-scoped policy Move sensitive applications behind identity-aware access that re-checks user identity, device context, and policy on every request.
What's in the full article
Pomerium's full blog post covers the operational detail this post intentionally leaves for the source:
- How the authentication override cookie mechanism works at the packet and session level
- Why the certificate reuse condition makes the bypass possible in specific PAN-OS deployments
- How identity-aware reverse proxy policy changes the trust boundary for internal applications
- What the article says about zero trust implementation choices for teams replacing VPN access
👉 Read Pomerium's analysis of the GlobalProtect bypass and zero trust access →
GlobalProtect bypass: are your access controls still one-time trust?
Explore further
10/06/2026 1:37 am
Perimeter trust is a brittle identity assumption, not a security strategy. The article shows that a single authentication event at the edge can be converted into full network reachability, which is the core flaw in VPN-centric access design. Once that trust is granted, the model no longer distinguishes between a legitimate session and a compromised one. Practitioners should treat network placement as an outdated security primitive, not a durable control.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which means many teams cannot reliably tell where standing access still exists.
A question worth separating out:
Q: What should organisations do when a VPN bypass exposes the weakness of edge-based trust?
A: Shift the highest-value applications away from network-wide access and toward identity-aware, request-scoped authorization. Use the incident as a trigger to narrow what a session can reach, reduce the value of any single token, and ensure that no gateway failure can become an internal network breach.
👉 Read our full editorial: GlobalProtect bypass shows why VPN trust is the wrong model
