Palo Alto Networks Unit 42 has confirmed active exploitation of CVE-2026-0257, a critical authentication-bypass vulnerability in the GlobalProtect portal and gateway components of PAN-OS software, allowing unauthenticated remote attackers to forge VPN session cookies and establish unauthorized network access without valid credentials.
CVE-2026-0257 is an authentication bypass vulnerability rooted in CWE-565, improper reliance on cookies without adequate validation, affecting both the GlobalProtect portal and gateway interfaces of Palo Alto Networks PAN-OS.
The vulnerability was first disclosed on May 13, 2026, initially assigned a CVSSv4 score of 4.7 (medium), but Palo Alto Networks revised the severity to 7.8 (High) on May 29, 2026, following confirmed in-the-wild exploitation.
Notably, the CVSSv3.1 base score is 9.1 (Critical), reflecting a severe impact on confidentiality and integrity when exploited at scale.
The vulnerability is activated only when two conditions align: the authentication override feature is enabled, and the override certificate is shared with the HTTPS service certificate, a misconfiguration that directly violates Palo Alto’s own hardening guidance. Panorama and Cloud NGFW are not affected by this issue.
The root cause lies in PAN-OS’s authentication override mechanism, which issues encrypted cookies to authenticated GlobalProtect users for seamless re-authentication, functioning similarly to a bearer token in OAuth flows.
When the certificate used to encrypt these cookies is identical to the one used by the GlobalProtect HTTPS portal or gateway, an attacker can extract the public key directly from the TLS handshake and forge a valid authentication cookie without ever authenticating.
Internally, the main_DecryptAppAuthCookie function in PAN-OS decrypts incoming cookies but performs no signature verification, meaning any correctly encrypted cookie is implicitly trusted by the appliance.
Rapid7 Labs validated this through a working proof-of-concept published on GitHub as forge_cookie.py, which iterates over certificates in the HTTPS chain, forges cookies using each public key, and tests them against the target gateway. The PoC script is publicly accessible at github.com/sfewer-r7/CVE-2026-0257, significantly lowering the technical barrier for exploitation.
Rapid7 MDR first observed exploitation on May 17, 2026, with a second distinct wave emerging on May 21, 2026. Both waves involved cookie-based authentication targeting local admin accounts, originating from infrastructure hosted on Vultr and Dromatics Systems, low-cost hosting providers commonly leveraged by threat actors for operational anonymity.
Unit 42 researchers confirmed that only approximately 2 out of 10 impacted MDR customers saw complete VPN tunnel establishment, verified through POST requests to /ssl-vpn/hipreport.esp and /ssl-vpn/getconfig.esp.
The consistent use of spoofed MAC address aa:bb:cc:dd:ee:ff across both exploitation waves strongly suggests a single unidentified threat actor behind the campaign. As of this writing, no lateral movement has been observed post-access.
On May 29, 2026, CISA added CVE-2026-0257 to the Known Exploited Vulnerabilities (KEV) catalog, mandating that U.S. federal civilian agencies remediate by June 1, 2026, per Binding Operational Directive 22-01.
Affected PAN-OS Versions
The following versions are confirmed vulnerable:
| PAN-OS Branch | Vulnerable Versions | Fixed Version |
|---|---|---|
| 10.2.x | All < 10.2.7-h34 | 10.2.7-h34+ |
| 11.1.x | All < 11.1.4-h33 | 11.1.4-h33+ |
| 11.2.x | All < 11.2.4-h17 | 11.2.4-h17+ |
| 12.1.x | All < 12.1.4-h6 | 12.1.4-h6+ |
| Prisma Access | < 11.2.7-h13 / 10.2.10-h36 | 11.2.7-h13+ / 10.2.10-h36+ |
Siemens RUGGEDCOM APE1808 firmware using PAN-OS is also affected and covered under Siemens advisory SSA-967325.
Indicators of Compromise (IOCs)
Security teams should hunt for the following indicators across VPN logs, firewall telemetry, and SIEM platforms:
| Indicator | Type | Context |
|---|---|---|
23.128.228[.]6 | IP Address | Threat actor source (pre-PoC) |
104.207.144[.]154 | IP Address | Threat actor source; Vultr hosting |
146.19.216[.]119/120/125 | IP Address | Threat actor source; Dromatics Systems |
179.43.172[.]213 | IP Address | Threat actor source (pre-PoC) |
185.195.232[.]139 | IP Address | Threat actor source (pre-PoC) |
198.12.106[.]60 | IP Address | Threat actor source (pre-PoC) |
202.144.192[.]47 | IP Address | Threat actor source (pre-PoC) |
209.99.191[.]137 | IP Address | Threat actor source (Rapid7) |
79.130.26[.]202 | IP Address | Threat actor source (Rapid7) |
aa:bb:cc:dd:ee:ff | MAC Address | Spoofed MAC; present in both exploit waves |
00:11:22:33:44:55 | MAC Address | Spoofed MAC address |
WINDOWS-LAPTOP-001 | Hostname | Suspicious host ID in GlobalProtect logs |
DESKTOP-GP01 | Hostname | Observed with Windows auth (May 21, 2026) |
GP-CLIENT | Hostname | Observed with Linux auth (May 17, 2026) |
Jocker | Hostname | Observed alongside IP 79.130.26[.]202 |
Microsoft Windows 10 Pro 64-bit | OS String | Hard-coded PoC client OS value |
| (empty) | Domain Field | Hard-coded empty domain in PoC config |
Remediation Steps
Organizations running affected PAN-OS versions must act immediately. Recommended actions in order of priority:
- Patch immediately — Upgrade to the vendor-fixed PAN-OS version as documented in the official security advisory.
- Rotate certificates — Generate a dedicated certificate used exclusively for authentication override cookie encryption, separate from the HTTPS service certificate.
- Disable authentication override — If patching is delayed, disable the feature entirely until the fix is applied.
- Threat hunt with IOCs — Search GlobalProtect logs for gateway-connected events with
endpoint_os_version: Microsoft Windows 10 Pro 64-bitand an empty domain field, which are hard-coded PoC values. - Restrict access — Limit network access to GlobalProtect portal and gateway interfaces to trusted IP ranges only.
- Review VPN session logs — Investigate POST requests to
/ssl-vpn/hipreport.espand/ssl-vpn/getconfig.espfor unauthorized session establishment attempts.
Frequently Asked Questions (FAQs)
Q1: What is CVE-2026-0257?
CVE-2026-0257 is a critical authentication-bypass vulnerability in Palo Alto Networks PAN-OS GlobalProtect that allows unauthenticated attackers to forge VPN session cookies and gain unauthorized access to the network.
Q2: Is CVE-2026-0257 actively exploited?
Yes, CISA added CVE-2026-0257 to the Known Exploited Vulnerabilities (KEV) catalog on May 29, 2026, and Rapid7 MDR confirmed active exploitation beginning May 17, 2026.
Q3: Which PAN-OS versions are affected by CVE-2026-0257?
PAN-OS branches 10.2.x, 11.1.x, 11.2.x, and 12.1.x are affected, along with specific Prisma Access versions organizations should upgrade to the respective patched releases immediately.
Q4: How can organizations mitigate CVE-2026-0257 without patching?
As an interim workaround, administrators should either disable the authentication override feature or issue a dedicated certificate exclusively for override cookie encryption, separate from the HTTPS service certificate.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
