A critical authentication bypass vulnerability in Palo Alto Networks PAN-OS (CVE-2026-0257) is being actively exploited in the wild, allowing unauthenticated attackers to forge VPN cookies and gain unauthorized access to enterprise networks.
CISA added the flaw to its Known Exploited Vulnerabilities (KEV) catalog on May 29, 2026, mandating that federal agencies remediate it by June 1, 2026, just 72 hours after disclosure escalation.
CVE-2026-0257 is an authentication bypass vulnerability affecting the GlobalProtect portal and gateway components of Palo Alto Networks PAN-OS software.
Tracked under CWE-565 (Reliance on Cookies Without Validation and Integrity Checking), the flaw resides in the platform’s “authentication override” feature, a convenience mechanism that issues encrypted cookies to authenticated GlobalProtect users, allowing them to re-authenticate without re-entering credentials, similar to a bearer token system.
The critical flaw is that the PAN-OS binary does not perform any signature verification after decrypting the authentication override cookie.
According to Rapid7’s reverse-engineering analysis, the main_DecryptAppAuthCookie function base64-decodes and RSA-decrypts the incoming cookie, then implicitly trusts its contents with zero cryptographic integrity checks.
This means any attacker who can discover the public key used to encrypt these cookies can forge arbitrary authentication tokens and log in as any user, including local admin accounts, without providing a password.
The exposure condition is specific but dangerously common: the GlobalProtect portal or gateway must have authentication override cookies enabled, and the certificate used for cookie encryption must be reused (shared with the HTTPS service or another feature) rather than being a dedicated, isolated certificate.
Since the HTTPS service certificate is publicly retrievable by any visitor to the gateway, attackers can extract the public key and forge valid cookies on demand.
Rapid7’s Managed Detection and Response (MDR) team confirmed real-world exploitation beginning May 17, 2026 just four days after Palo Alto Networks published its initial advisory on May 13. Analysts identified two distinct waves of attacks:
- Wave 1 (May 18, 2026): Suspicious cookie authentication to the local admin account was observed across multiple customer environments, with traffic originating from the hosting provider Vultr (IP: 104.207.144.154). Machines used the hostname “GP-CLIENT” running Linux.
- Wave 2 (May 21, 2026): A second wave launched from Dromatics Systems (IPs: 146.19.216.119, 146.19.216.120, 146.19.216.125). In this wave, successful VPN IP assignment was observed, granting attackers direct access to internal networks. The hostname “DESKTOP-GP01” running Windows 10 was used.
A consistent spoofed MAC address (aa:bb:cc:dd:ee:ff) was observed in both waves, suggesting the same threat actor operated across both campaigns.
In 8 out of 10 impacted MDR customers, attackers successfully forged authentication cookies but did not establish a full VPN session, indicating widespread probing for lateral movement readiness.
Affected PAN-OS Versions
| Product | Affected Versions | Fixed Versions |
|---|---|---|
| PAN-OS 12.1 | < 12.1.4-h6 / < 12.1.7 | ≥ 12.1.4-h6 / ≥ 12.1.7 |
| PAN-OS 11.2 | < 11.2.4-h17, < 11.2.12 | ≥ 11.2.4-h17, ≥ 11.2.12 |
| PAN-OS 11.1 | < 11.1.4-h33, < 11.1.15 | ≥ 11.1.4-h33, ≥ 11.1.15 |
| PAN-OS 10.2 | < 10.2.7-h34, < 10.2.18-h6 | ≥ 10.2.7-h34, ≥ 10.2.18-h6 |
| Prisma Access 11.2.0 | < 11.2.7-h13 | ≥ 11.2.7-h13 |
| Prisma Access 10.2.0 | < 10.2.10-h36 | ≥ 10.2.10-h36 |
Panorama and Cloud NGFW are NOT affected.
| Indicator | Type | Description |
|---|---|---|
| 104.207.144.154 | IP Address | Threat actor source IP (Wave 1 – Vultr) |
| 146.19.216.119 | IP Address | Threat actor source IP (Wave 2 – Dromatics) |
| 146.19.216.120 | IP Address | Threat actor source IP (Wave 2 – Dromatics) |
| 146.19.216.125 | IP Address | Threat actor source IP (Wave 2 – Dromatics) |
| aa:bb:cc:dd:ee:ff | MAC Address | Spoofed MAC observed in both exploitation waves |
| DESKTOP-GP01 | Hostname | Windows host used in Wave 2 (May 21, 2026) |
| GP-CLIENT | Hostname | Linux host used in Wave 1 (May 18, 2026) |
Mitigation
Organizations running GlobalProtect must act immediately. Although Palo Alto Networks assigned the flaw a CVSSv4 score of 7.8 (High), Rapid7 and CISA urge treating it as Critical due to its edge-facing VPN exposure and confirmed active exploitation.
Immediate actions required:
- Patch now: Upgrade to the fixed PAN-OS versions listed above per the official vendor advisory
- Disable authentication override: Navigate to Network > GlobalProtect > Gateways, open the Agent tab, and uncheck both “Generate cookie for authentication override” and “Accept cookie for authentication override” options
- Isolate the certificate: If disabling is not possible, generate a dedicated certificate exclusively for authentication override cookies. Do not reuse the portal/gateway HTTPS certificate or share it with any other feature.
- Review GlobalProtect logs: Hunt for cookie-based admin logins, suspicious source IPs, spoofed MAC addresses, and impossible travel patterns
- Monitor internal activity: Watch for abnormal Kerberos authentication, LDAP enumeration, lateral movement, and the creation of new services following any suspicious VPN session.
After patching, GlobalProtect users will be required to reauthenticate once, as authentication override cookies will be regenerated using a more secure method. Administrators should notify helpdesk teams in advance.
CISA officially added CVE-2026-0257 to the Known Exploited Vulnerabilities catalog on May 29, 2026, with a remediation due date of June 1, 2026, for all U.S. Federal Civilian Executive Branch (FCEB) agencies under Binding Operational Directive (BOD) 22-01.
While this directive does not legally bind private organizations, failure to remediate a KEV-listed vulnerability that is later exploited creates significant legal, regulatory, and reputational liability.
CVE-2026-0257 is the second major PAN-OS vulnerability to surface in May 2026. The earlier CVE-2026-0300, a critical buffer overflow with a CVSS score of 9.3, was also reported to have been exploited in limited attacks against the User-ID Authentication Portal.
This pattern places PAN-OS environments under extraordinary operational pressure and underscores the urgency of proactive patch management for internet-facing security infrastructure.
FAQ
Q1: What is CVE-2026-0257?
It is an authentication bypass vulnerability in Palo Alto Networks PAN-OS GlobalProtect that allows unauthenticated attackers to forge VPN cookies and establish unauthorized network connections.
Q2: Is CVE-2026-0257 being actively exploited?
Yes, Rapid7 confirmed active exploitation beginning May 17, 2026, and CISA added it to its KEV catalog on May 29, 2026, confirming in-the-wild attacks.
Q3: Which systems are not affected by CVE-2026-0257?
Panorama and Cloud NGFW are confirmed unaffected; only GlobalProtect portal/gateway deployments with authentication override cookies enabled and a misconfigured (shared) certificate are vulnerable.
Q4: What is the fastest mitigation if patching is not immediately possible?
Turn off the authentication override feature in the GlobalProtect portal and gateway configuration, or immediately generate and assign a dedicated certificate exclusively for authentication override cookies.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
