Active Exploitation of Palo Alto Networks PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257)
June 4th, 2026
Critical
%20Threatens%20Network%20Access%20Contro.png)
Our Cyber Threat Intelligence Unit is monitoring an actively exploited authentication bypass vulnerability in Palo Alto Networks PAN-OS software, affecting the GlobalProtect portal and gateway. Disclosed on May 13, 2026, CVE-2026-0257 allows remote, unauthenticated attackers to establish unauthorized VPN connections by forging authentication override cookies when certain configurations are present. Exploitation was first observed on May 17, 2026, with a second wave on May 21, 2026. CISA added this vulnerability to its Known Exploited Vulnerabilities catalog on May 29, 2026. Organizations using affected PAN-OS versions with authentication override enabled are at risk of unauthorized network access, even if employee credentials are not compromised. Immediate patching or application of vendor-recommended mitigations is strongly recommended.
Technical Details
Vulnerability Type: Authentication Bypass (CWE-565: Reliance on Cookies without Validation and Integrity Checking)
Severity: Critical
CVE ID: CVE-2026-0257
CVSS 3.1 Score: 9.1 (NIST/NVD)
CVSS 3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected Products and Versions:
PAN-OS 10.2: < 10.2.7-h34, < 10.2.10-h36, < 10.2.13-h21, < 10.2.16-h7, < 10.2.18-h6
PAN-OS 11.1: < 11.1.4-h33, < 11.1.6-h32, < 11.1.7-h6, < 11.1.10-h25, < 11.1.13-h5, < 11.1.15
PAN-OS 11.2: < 11.2.4-h17, < 11.2.7-h14, < 11.2.10-h7, < 11.2.12
PAN-OS 12.1: < 12.1.4-h6, < 12.1.7
Prisma Access 10.2: < 10.2.10-h36
Prisma Access 11.2: < 11.2.7-h13
Not affected: Cloud NGFW, Panorama
Required Configuration for Exposure:
A device is only vulnerable when both of the following conditions are simultaneously true:
Authentication override cookies are enabled on the GlobalProtect portal or gateway
The certificate used to encrypt and decrypt authentication override cookies is shared with another feature (e.g., the portal or gateway HTTPS service certificate) rather than being a dedicated certificate
Note: Cloud Authentication Service (CAS) was observed to be disabled across all confirmed exploitation cases identified by Rapid7 MDR. The vendor advisory does not list CAS status as a formally defined required condition.
Attack Chain:
Initial Access: A remote unauthenticated attacker identifies a GlobalProtect portal or gateway exposed to the internet.
Reconnaissance: Attacker retrieves the HTTPS service certificate chain from the target appliance. If the authentication override cookie encryption certificate is shared with the HTTPS service, the attacker can extract the public key.
Cookie Forgery: Using the discovered public key, the attacker crafts a forged authentication override cookie for an arbitrary user (including the local admin account).
Authentication Bypass: The forged cookie is submitted via a POST request to /ssl-vpn/login.esp. The appliance decrypts the cookie and trusts the contents without performing signature verification, granting authentication.
VPN Access: In a subset of cases, VPN IP assignment follows successful cookie authentication, granting the attacker a routed path into the internal network.
Post-Exploitation: As of publication, Rapid7 MDR did not observe confirmed lateral movement from exploited devices; however, unauthorized VPN access constitutes a foothold with the potential for further intrusion.
Observed Threat Activity:
Rapid7 MDR observed the first wave of exploitation on May 17, 2026, originating from IP addresses associated with the hosting provider Vultr.
A second exploitation wave was detected on May 21, 2026, originating from IP addresses associated with Dromatics Systems.
Consistent spoofed MAC addresses across both waves suggest a single threat actor.
A public proof-of-concept script developed by Rapid7 Labs is available at https://github.com/sfewer-r7/CVE-2026-0257.
Impact
Organizations running affected PAN-OS versions with the described configuration are at risk of unauthorized VPN access to internal networks without requiring any valid user credentials.
Successful exploitation provides an attacker with a trusted network route, creating a foothold from which lateral movement, privilege escalation, data exfiltration, or deployment of additional payloads may follow.
The attack vector is network-facing and requires no authentication, making edge-exposed GlobalProtect appliances the primary attack surface.
Federal Civilian Executive Branch agencies are subject to CISA-mandated remediation timelines under KEV obligations; non-compliance may carry regulatory consequences.
Detection Method
Defenders should prioritize the following detection opportunities:
GlobalProtect authentication log review: Monitor for cookie-based authentication events (auth method = "Cookie") to the local admin account or any non-human identity, particularly from unexpected source IP addresses or hosting provider ranges (e.g., Vultr, Dromatics Systems).
Suspicious hostname indicators: Alert on the hostnames DESKTOP-GP01 (Windows, associated with May 21 activity) and GP-CLIENT (Linux, associated with May 17 activity) appearing in GlobalProtect logs.
Spoofed MAC address detection: Flag authentication events where the MAC address aa:bb:cc:dd:ee:ff appears in GlobalProtect logs, as this spoofed value was observed across both exploitation waves.
Anomalous VPN IP assignment: Investigate VPN IP assignment events that follow cookie authentication, particularly where no legitimate user session is expected.
Configuration audit: Check whether authentication override cookies are enabled alongside a shared certificate. Use the vendor-provided configuration check steps via Network > GlobalProtect > Portals/Gateways > Agent > Authentication tab.
Rapid7 MDR detection rules (for InsightIDR/MDR customers):
The following rules are available:
Suspicious Authentication - Palo Alto GlobalProtect Cookie Authentication to Local Admin Account
Threat Intel (Rapid7 MDR SOC/IR) - VPN Authentication via Spoofed MAC Address
Threat Intel (Rapid7 MDR SOC/IR) - Indicator of Compromise Observed
Suspicious VPN Authentication - Palo Alto GlobalProtect Login via Default Hostname
Suspicious VPN Authentication - Local Account Logon via Generic Non-Human Identity
Suspicious VPN Authentication - Local Account
Suspicious Authentication - Vultr
Suspicious Authentication - Dromatics Systems
Indicators of Compromise
Type | Indicator | Description |
IPv4 Address | 104[.]207[.]144[.]154 | Threat actor source IP observed in Wave 1 (May 17, 2026); associated with Vultr hosting provider |
IPv4 Address | 146[.]19[.]216[.]119 | Threat actor source IP observed in Wave 2 (May 21, 2026); associated with Dromatics Systems |
IPv4 Address | 146[.]19[.]216[.]120 | Threat actor source IP observed in Wave 2 (May 21, 2026); associated with Dromatics Systems |
IPv4 Address | 146[.]19[.]216[.]125 | Threat actor source IP observed in Wave 2 (May 21, 2026); associated with Dromatics Systems |
IPv4 Address | 209[.]99[.]191[.]137 | Threat actor source IP |
IPv4 Address | 79[.]130[.]26[.]202 | Threat actor source IP |
Hostname | DESKTOP-GP01 | Machine name observed in GlobalProtect logs alongside Windows authentications; first observed May 21, 2026 |
Hostname | GP-CLIENT | Machine name observed in GlobalProtect logs alongside Linux authentications; first observed May 17, 2026 |
Hostname | Jocker | Machine name observed alongside 79[.]130[.]26[.]202 |
MAC Address | aa:bb:cc:dd:ee:ff | Spoofed MAC address observed across both exploitation waves |
Recommendations
Apply patches immediately:
Upgrade to a fixed PAN-OS version as defined in the vendor advisory.
Refer to the version table in Section 2.0 for branch-specific remediation targets.
Note that after upgrade, GlobalProtect users will need to re-authenticate once, as existing cookies will be regenerated using a more secure method.
Generate a dedicated certificate for authentication override cookies:
If immediate patching is not operationally possible, create a new certificate exclusively for authentication override cookie encryption and decryption.
Do not reuse the portal or gateway HTTPS certificate for this purpose.
Disable authentication override as an interim mitigation:
Uncheck the "Generate cookie for authentication override" and "Accept cookie for authentication override" options on both the GlobalProtect portal and gateway if the feature is not operationally required.
Restrict external access:
Apply network-level controls to limit GlobalProtect portal and gateway exposure to only required source IP ranges where operationally feasible.
Review and rotate credentials:
Audit GlobalProtect and firewall logs for cookie-based authentication events.
Revoke any suspicious sessions and rotate credentials for accounts associated with unauthorized VPN access.
Enhance monitoring:
Implement or tune SIEM detection rules for the IOCs and behavioral indicators.
Verify that GlobalProtect authentication logs are being collected and retained.
Verify backup integrity:
Confirm that backup and recovery procedures are functional and that backups are isolated from VPN-accessible network segments.
Conclusion
CVE-2026-0257 is a critical authentication bypass vulnerability in Palo Alto Networks PAN-OS GlobalProtect, with active exploitation observed since May 17, 2026. Security and network operations teams should prioritize remediation by applying vendor patches, removing shared certificate configurations, and reviewing logs for unauthorized cookie-based authentication.