Hackers are actively breaking into business networks through a flaw in Palo Alto’s GlobalProtect VPN. Palo Alto bumped the severity rating up last Friday after confirming real attacks against unpatched devices. If you use this VPN, this is a stop-what-you’re-doing situation.
This week in brief
-
Dutch police took down a massive botnet. Authorities in the Netherlands dismantled a network of 17 million infected devices — computers, phones, tablets, and internet-connected gadgets — running off more than 200 servers, according to The Hacker News. The takeaway for you: cheap, forgotten IoT devices (cameras, smart plugs, old routers) get hijacked constantly. If it’s plugged into your network and you never update it, it’s a liability.
-
Quantum computing is starting to threaten encryption. ZDNet reports that experts are urging organizations to move from 128-bit to 256-bit encryption now, because future quantum machines will be able to crack today’s standards. This isn’t an emergency for small businesses yet, but it’s worth knowing your encrypted data could be stolen today and decrypted later.
The one that matters: the Palo Alto VPN attacks
Here’s what’s going on. Palo Alto Networks makes firewalls and VPNs that a lot of small and mid-size businesses rely on to let staff connect remotely. Their remote-access product is called GlobalProtect. There’s a flaw in it, tracked as CVE-2026-0257, that lets an attacker skip the login process entirely and connect to your network as if they belonged there.
Palo Alto patched it earlier this month and originally rated it “Medium” — not a screaming emergency, because exploiting it required a specific setup. Then last Friday they changed their tune. Per Bleeping Computer, the company confirmed real attacks against unpatched devices and raised the rating to “High.” CISA added it to its Known Exploited Vulnerabilities list on May 29, which is the government’s way of saying: this is being used against people right now, fix it.
So what are the attackers actually doing? The security firm Rapid7 dug into it. The VPN uses something called an “authentication override cookie” — basically a token that says “this person already logged in, let them through.” The problem is that the device decrypts that cookie with a key and then just trusts whatever’s inside without checking that the cookie is genuine. No signature check. If a business reuses the same certificate for its regular HTTPS traffic and for these cookies — which is common — an attacker can grab the public key off the website, forge a cookie that looks valid, and walk right in. They’ve been targeting the local administrator account specifically.
Rapid7 says it saw successful break-ins across multiple customers, with the earliest activity going back to May 17. The attacks came in waves from rented servers. The one piece of good news: in many cases the attackers got the forged cookie accepted but couldn’t build a full VPN session, and Rapid7 didn’t see them spreading deeper into networks. But “couldn’t this time” is not a security plan.
Why should you care if you’re running a 12-person accounting firm or a contractor business? Because a VPN is the front door to your entire network. If someone gets through it, they’re not stuck at the edge — they’re inside, where your files, your client data, and your accounting system live. And remote-access tools are the single most popular way ransomware gangs get in. This is exactly the kind of foothold that turns into a locked-up business and a ransom demand two weeks later.
The fix is straightforward: Palo Alto has a patch out. Apply it. If you can’t patch immediately, you can reduce your exposure by not reusing the same certificate for HTTPS and authentication override cookies, and by reviewing whether you even need override cookies turned on. Most small businesses don’t manage this themselves — your IT provider does — so the real action item is making sure someone actually confirms it’s done.
What to do right now
- If you use Palo Alto GlobalProtect VPN, apply the patch for CVE-2026-0257 today. It’s being actively exploited and it’s on CISA’s list. Don’t wait for your next maintenance window.
- Ask your IT provider one direct question: “Are our Palo Alto devices patched against CVE-2026-0257, and are we reusing certificates for auth override cookies?” If they can’t answer fast, that’s a problem.
- Check your VPN logs for connections since May 17. Unfamiliar logins to the local admin account are a red flag.
- Turn on multi-factor authentication for remote access if you haven’t. It won’t stop this specific cookie-forging trick, but it stops the vast majority of VPN attacks cold.
- Inventory the internet-connected devices on your network — cameras, old routers, smart gear. The ones nobody updates are how botnets like the one the Dutch just took down get built.
Remote-access flaws like this are exactly what we keep an eye on for the businesses we work with on the Shore — patching, certificate hygiene, watching the logs so you don’t have to. If any of this is on your radar and you’re not sure where you stand, that’s what we’re here for. Book a free 15-minute consult.