CVE-2026-0257: Palo Alto GlobalProtect Auth Bypass Exploited in Wild

CVE-2026-0257 (an authentication bypass vulnerability — a class of flaw that lets attackers skip the login process entirely and impersonate legitimate users) in Palo Alto Networks' PAN-OS GlobalProtect VPN portal and gateway is under active exploitation in the wild. Attackers are forging cryptographic session cookies to gain unauthorized VPN access to corporate networks; in one confirmed case handled by an incident response firm, threat actors used the compromised VPN tunnel to reach a domain controller and encrypt 500 servers in under 90 minutes. Patches are available for all affected PAN-OS branches — treat any unpatched internet-facing GlobalProtect deployment as potentially compromised until verified otherwise.

// 01 CVE-2026-0257: Technical Details

CVE-2026-0257 is an authentication bypass vulnerability affecting the GlobalProtect portal and gateway components of Palo Alto Networks PAN-OS — the operating system powering the company's next-generation firewalls and enterprise VPN appliances. Palo Alto Networks published the initial advisory on May 13, 2026, and subsequently updated it to confirm active exploitation in the wild.

The vulnerability carries a CVSS v4.0 (Common Vulnerability Scoring System, version 4 — the industry-standard framework for rating vulnerability severity on a 0–10 scale) score of 7.8 (High). The CVSS attack vector is Network (AV:N), complexity is Low (AC:L), and the flaw requires no privileges (PR:N) and no user interaction (UI:N) — meaning any unauthenticated remote attacker can exploit it over the internet against an exposed appliance. Despite the "High" severity label, security researchers at Rapid7 and CISA have emphasized that the real-world risk is effectively Critical: internet-facing VPN appliances are among the highest-value targets in any corporate environment because compromising one grants immediate network-layer access indistinguishable from a legitimate employee.

The root cause is a cryptographic certificate reuse problem in how GlobalProtect handles authentication override cookies. When the same TLS certificate is used for both the HTTPS service (visible to everyone connecting to the portal) and the authentication override cookie encryption function (an internal mechanism), an attacker can extract the certificate's public key from the publicly reachable HTTPS endpoint and use it to forge a valid authentication override cookie. The critical implementation flaw: the gpsvc binary's decryption function performs no signature verification after decrypting the cookie. It trusts the decrypted content unconditionally — allowing an attacker to craft a cookie containing an arbitrary forged user identity that the portal accepts without question.

The attack targets the /global-protect/portal/login.esp endpoint. A crafted HTTP request carrying the malicious cookie is sufficient to bypass authentication and establish an authorized-looking VPN session.

Affected PAN-OS versions (patch to the fixed versions listed below):

• PAN-OS 12.1: All versions below 12.1.4-h6 and 12.1.7 → fix: 12.1.4-h6 or 12.1.7
• PAN-OS 11.2: All versions below 11.2.4-h17, 11.2.7-h14, 11.2.10-h7, and 11.2.12 → fix: 11.2.12 (or relevant hotfix)
• PAN-OS 11.1: Multiple version ranges below 11.1.15 → fix: 11.1.15
• PAN-OS 10.2: Multiple version ranges below 10.2.18-h6 → fix: 10.2.18-h6
• Prisma Access 10.2.0: Fix: 10.2.10-h36
• Prisma Access 11.2.0: Fix: 11.2.7-h13

The vulnerability is only exploitable on firewalls where the GlobalProtect portal or gateway is enabled and the authentication override cookie feature is active and the override certificate is the same certificate used for the HTTPS service. Deployments using a dedicated certificate exclusively for authentication override — or that have disabled override cookies entirely — are not vulnerable.

// 02 Exploitation Status and Threat Landscape

CVE-2026-0257 is confirmed exploited in the wild with documented victim organizations. Rapid7 MDR observed the earliest exploitation on May 17, 2026 — just four days after the advisory was published. The first confirmed attack wave hit on May 18 at 01:51:37 UTC, originating from IP address 104.207.144.154 hosted on Vultr, a low-cost cloud provider routinely used by threat actors to stage attacks and obscure attribution. A second wave followed on May 21, using IP addresses 146.19.216.119, 146.19.216.120, and 146.19.216.125 on Dromatics Systems — a different hosting provider.

Both waves used an identical spoofed MAC address (aa:bb:cc:dd:ee:ff) — a behavioral signature that strongly suggests a single threat actor behind both campaigns. Spoofed MAC addresses are a common anti-forensics technique used to blend forged VPN sessions into network logs that record client hardware identifiers, making it harder to distinguish attacker connections from legitimate VPN clients.

MITRE ATT&CK (the industry-standard taxonomy for describing attacker behavior — each technique is assigned a T-number for cross-vendor tracking) identifiers relevant to the observed attacks include:

• T1133 — External Remote Services: Attackers gain initial access by establishing a VPN connection as the primary entry vector
• T1078.001 — Valid Accounts (Default Accounts): Post-authentication, attacker sessions appear as valid accounts and may exploit admin-level access obtained via the forged session
• T1110.001 — Brute Force (Credential Guessing): Authentication probes used to test forged cookies and identify valid session parameters

On May 29, 2026, CISA added CVE-2026-0257 to its KEV (Known Exploited Vulnerabilities) catalog — a list CISA maintains to confirm that real-world attacks are actively occurring, not merely theoretical. KEV inclusion triggers Binding Operational Directive 22-01 (BOD 22-01), which mandates that all U.S. federal civilian executive branch (FCEB) agencies apply patches by June 19, 2026.

Rapid7 also published a PoC (Proof-of-Concept — a working test script demonstrating the vulnerability is present) to help defenders verify whether specific appliances are exposed. The script is designed for authenticated defensive scanning, not live exploitation, and is appropriate for use by security teams assessing their own environments.

// 03 Who Is Affected

Any organization running Palo Alto Networks firewalls with GlobalProtect enabled, authentication override cookies active, and the override certificate shared with the HTTPS service is at risk. This configuration is not unusual — authentication override cookies are a documented convenience feature recommended for seamless re-authentication in enterprise VPN deployments, and many administrators enable them without creating a dedicated certificate as required for secure operation.

The affected PAN-OS version range covers PAN-OS 10.2 through 12.1 — a wide span of Palo Alto's enterprise installed base. GlobalProtect is among the most widely deployed enterprise VPN solutions globally, with heavy adoption in financial services, healthcare, government, and critical infrastructure. While a precise count of exposed internet-facing instances was not publicly confirmed via Shodan census at time of writing, the market footprint across Fortune 500 companies and government networks makes the aggregate exposure surface significant.

The most alarming real-world data point: an incident response firm reported a case where attackers, after gaining VPN access through this flaw, pivoted to an internal domain controller and encrypted 500 servers in under 90 minutes. This underscores why VPN authentication bypasses are disproportionately dangerous compared to vulnerabilities in web applications — a VPN entry point grants network-layer access that internal security controls and segmentation are often not designed to fully contain, because VPN traffic is typically trusted as if it were physically on the corporate network.

// 04 What You Should Do Right Now

• Identify your PAN-OS version immediately. Log in to the Panorama management console or individual firewall CLI and run:

“bash show system info | grep sw-version “ Compare the output against the affected version ranges in the official Palo Alto Networks advisory.

• Patch to a fixed version now. Priority fixed versions: PAN-OS 12.1.7 or 12.1.4-h6, PAN-OS 11.2.12, PAN-OS 11.1.15, PAN-OS 10.2.18-h6. Download patches from the Palo Alto Networks Customer Support Portal. U.S. federal agencies must complete patching by June 19, 2026 under BOD 22-01.

• Apply the workaround if immediate patching is not possible. In GlobalProtect portal and gateway configuration, take one of these two actions: (a) generate a new certificate used exclusively for authentication override cookies — separate from the HTTPS service certificate — or (b) disable authentication override cookies entirely by unchecking both "Accept Cookie for Authentication Override" and "Generate Cookie for Authentication Override." Apply the workaround to both portal and gateway components; leaving either one unconfigured defeats the mitigation.

• Hunt for indicators of compromise in authentication logs. Check GlobalProtect VPN logs for connections from known attacker infrastructure: 104.207.144.154, 146.19.216.119, 146.19.216.120, 146.19.216.125. Flag VPN sessions authenticated via cookie from unusual client machine names (particularly "GP-CLIENT" on Linux or "DESKTOP-GP01" on Windows) or sessions with the spoofed MAC address aa:bb:cc:dd:ee:ff.

• Run Rapid7's verification script if your organization uses Exposure Command or InsightVM. The authenticated scanner confirms whether your specific configuration is vulnerable before and after remediation, providing documented evidence of patching.

• Escalate for incident response if suspicious VPN sessions are found. An unauthorized VPN session provides the same network access as a legitimate employee. Given the documented 90-minute server encryption timeline, do not slow-walk IR if anomalous sessions are discovered — engage your incident response plan immediately and assume lateral movement has occurred.

// 05 Background: Understanding the Risk

Authentication bypass vulnerabilities in VPN gateways occupy a distinct threat tier above other network vulnerabilities. A web application flaw might let an attacker read data they shouldn't see. A VPN authentication bypass hands them the keys to the network itself — layer-3 access equivalent to plugging a physical device into the corporate LAN. Once inside the VPN tunnel, an attacker operates with the same network privileges as a legitimate remote employee, able to reach Active Directory, internal file shares, backup infrastructure, databases, and anything else the VPN network permits. Internal east-west security controls are routinely less mature than perimeter defenses, because network designers assume traffic inside the VPN perimeter is trusted.

Palo Alto Networks GlobalProtect has been a persistent target for sophisticated threat actors precisely because of this trust position. CVE-2024-3400, a critical command injection vulnerability in GlobalProtect disclosed in April 2024, was exploited as a zero-day by a nation-state group Palo Alto tracked as UTA0218 before patches were even available. CVE-2025-0108, another PAN-OS authentication bypass disclosed in early 2025, was actively exploited within days of public disclosure across multiple industries. The pattern is now well established: a GlobalProtect advisory drops, a PoC surfaces within days, and mass exploitation follows shortly after. Organizations that wait for "comfortable" patch windows are consistently caught in the exploitation wave.

The root cause of CVE-2026-0257 — certificate reuse enabling cookie forgery — reflects a recurring design tension in enterprise software: convenience features added to reduce user friction can introduce critical weaknesses when the underlying cryptographic design is not carefully reviewed for adversarial scenarios. Authentication override cookies exist to let users reconnect without re-entering credentials after a brief session expiry, improving UX in large organizations. The security model assumed the cookie encryption key would be secret. The flaw is that by using the same certificate for both HTTPS (where the public key is exposed to anyone) and cookie encryption, the key material needed to forge cookies was effectively public. The absence of signature verification in gpsvc compounded this: even if the encryption were sound, an attacker able to compute a valid ciphertext had no cryptographic proof of authorship to defeat.

For organizations that cannot immediately patch, the dedicated-certificate workaround is effective if implemented correctly. The critical requirement is using a certificate that is genuinely not exposed through any other service — specifically not the GlobalProtect HTTPS portal certificate, which every connecting client can retrieve. If the override certificate appears in any HTTPS endpoint's certificate chain, it is extractable and the workaround provides no protection.

// 06 Conclusion

CVE-2026-0257 is a high-severity authentication bypass in Palo Alto Networks PAN-OS GlobalProtect that is confirmed exploited, CISA KEV-listed, and linked to at least one ransomware incident that encrypted 500 servers in under 90 minutes. Organizations running affected PAN-OS versions with authentication override cookies enabled should patch to the fixed versions immediately — or apply the certificate-based workaround — and hunt for signs of prior compromise. The documented exploitation timeline shows attacks began within four days of the advisory; waiting for a scheduled maintenance window is not appropriate for an actively weaponized, internet-facing VPN flaw.