CVE-2026-0257: Active Exploitation of PAN-OS GlobalProtect Auth Bypass Flaw

Published Date: June 1, 2026
Category: ShadowOpsIntel
Share:

An authentication bypass vulnerability exists in the GlobalProtect portal and gateway features of Palo Alto Networks PAN-OS software. If exploited, a remote, unauthenticated attacker can bypass security restrictions and successfully establish an unauthorized VPN connection into the target network. This vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog following verified active exploitation in the wild.

Severity: High

Vulnerability Details

  • CVE ID: CVE-2026-0257
  • CVSS Score: 7.8
  • Type: CWE-565 Reliance on Cookies without Validation and Integrity Checking
  • Description:
    • The vulnerability exists within the “Authentication Override” feature implemented in the gpsvc binary (specifically handled via the main_DoAuthLogin and main_AuthWithCookie functions).
    • This feature issues cookie-based bearer tokens to valid users so they do not have to re-enter credentials repeatedly.
    • When processing an authentication cookie via the main_DecryptAppAuthCookie function, the appliance base64 decodes and decrypts the string using a private key.
    • However, the decrypted content is trusted implicitly, completely lacking any signature validation or cryptographic integrity checking after decryption.

Affected Products

Product BranchVulnerable VersionsFixed Releases
PAN-OS 12.1< 12.1.4-h6 OR < 12.1.7➔ 12.1.4-h6 OR ➔ 12.1.7 or later
PAN-OS 11.2< 11.2.4-h17, < 11.2.7-h14, < 11.2.10-h7, < 11.2.12➔ 11.2.4-h17, ➔ 11.2.7-h14, ➔ 11.2.10-h7, ➔ 11.2.12 or later
PAN-OS 11.1From 11.1.0 up to < 11.1.15 (and associated hotfixes)➔ 11.1.4-h33, ➔ 11.1.6-h32, ➔ 11.1.7-h6, ➔ 11.1.10-h25, ➔ 11.1.13-h5, ➔ 11.1.15 or later
PAN-OS 10.2From 10.2.0 up to < 10.2.18-h6 (and associated hotfixes)➔ 10.2.7-h34, ➔ 10.2.10-h36, ➔ 10.2.13-h21, ➔ 10.2.16-h7, ➔ 10.2.18-h6 or later
Prisma AccessManaged customer upgrade schedules (10.2.0: < h36, 11.2.0: < h13)Automatically upgraded by vendor per shared customer schedules

Observed Attacker Behavior & Campaign Activity

Rapid7 MDR observed active, in-the-wild exploitation occurring in multiple waves starting in mid-May 2026.

  • Wave 1 (Started May 17, 2026): Attacks originated from the hosting provider Vultr. Attackers targeted the local administrator account using forged cookies. Rapid7 noted that in 8 out of 10 targeted MDR customers, the attackers ran authentication probes that were accepted by the device, but did not establish a full VPN session.
  • Wave 2 (Started May 21, 2026): Attacks shifted to the hosting provider Dromatics Systems. In this wave, attackers successfully obtained VPN IP assignments, granting them direct internal network access.
  • Attribution Clues: Both waves utilized a highly consistent, spoofed MAC address, indicating they are likely the work of a single threat actor. No successful lateral movement past the edge appliances was observed during initial investigations.

Vulnerability Exposure & Prerequisites

An appliance is uniquely exposed and vulnerable only if it meets all of the following conditions:

  1. Running an affected version of PAN-OS or Prisma Access.
  2. GlobalProtect portal or gateway is actively enabled.
  3. Authentication Override Cookies are enabled (generating or accepting).
  4. The certificate used to encrypt/decrypt override cookies is shared/reused with another open feature, such as the portal/gateway’s public HTTPS service.

An appliance is uniquely exposed and vulnerable only if it meets all of the following conditions:

  1. Running an affected version of PAN-OS or Prisma Access.
  2. GlobalProtect portal or gateway is actively enabled.
  3. Authentication Override Cookies are enabled (generating or accepting).
  4. The certificate used to encrypt/decrypt override cookies is shared/reused with another open feature, such as the portal/gateway’s public HTTPS service.

Note: Panorama and Cloud NGFW deployments are not impacted by these issues.

Recommendations

  1. Immediately upgrade affected PAN-OS and Prisma Access to vendor-supplied fixed version.
  2. Mitigations:
    • Use a dedicated certificate for Authentication Override cookies: Generate a new certificate exclusively for authentication override cookies and store it securely. Do not reuse the portal or gateway certificate, and do not share this certificate with other features or users.
    • Disable Authentication Override: Uncheck the Authentication Override options (for generating and accepting cookies) in the GlobalProtect portal and gateway configuration.
  3. Block the IOCs at their respective controls
    https://www.virustotal.com/gui/collection/1c62370f44dfcf0c0fca271ba4f80c79a675c998d2ceced8a3d699394c5ca4ec/iocs

Source:

  • https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/
  • https://security.paloaltonetworks.com/CVE-2026-0257

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Talk to an expert