Skip to content
hacker_posts

Palo Alto GlobalProtect auth bypass (CVE-2026-0257) added to CISA KEV after weeks of exploitation

PAN-OS portals with authentication-override cookies on a shared certificate let attackers forge a valid session. Rapid7 observed exploitation since May 17. Federal patch deadline June 19.

Published 4 min read
cvepalo-altopan-oskevadvisory

A GlobalProtect authentication bypass in Palo Alto Networks PAN-OS — CVE-2026-0257, CVSS 7.8 — is being actively exploited to forge VPN session cookies and walk straight into corporate networks. CISA added it to the Known Exploited Vulnerabilities catalog on May 29, with a federal remediation deadline of June 19, 2026. Rapid7 says the earliest activity it observed dates back to May 17.

What's affected

Per the Palo Alto Networks security advisory, the bug lives in PAN-OS firewalls that have a GlobalProtect portal or gateway configured, with the non-default "authentication override" feature enabled, and that share the override-cookie encryption certificate with another service — typically the HTTPS service of the same portal or gateway.

Panorama and Cloud NGFW are not affected. Prisma Access deployments running PAN-OS-based gateways are in scope when the same conditions hold.

The vulnerable configuration is a real-world pattern: many shops enabled authentication override years ago to smooth single-sign-on flows and reused the portal's TLS cert for cookie encryption because it was already there.

The bug

GlobalProtect's authentication-override mechanism issues session cookies to authenticated users — effectively bearer tokens that subsequent requests present in lieu of re-authenticating. The flaw lets a remote, unauthenticated attacker forge those cookies and present them to the portal or gateway as a valid session, granting an unauthorized VPN connection. On gateways that complete the IP-pool assignment, that means direct routed access into the protected network, not just a portal landing page.

The certificate-sharing condition is what makes forgery possible: when the cert used to encrypt override cookies is also reachable as an HTTPS server cert, an attacker can derive what they need to mint a cookie the gateway will trust.

Exploitation status

Rapid7's incident response team reports two distinct waves of in-the-wild abuse:

  • May 17 — first observed exploitation, with traffic originating from IPs hosted at Vultr.
  • May 18 — suspicious cookie-based authentications against local admin accounts across multiple Rapid7 customer environments.
  • May 21 — a second wave from infrastructure at the hosting provider Dromatics Systems, in which some victims received full VPN-pool IP assignments after the cookie was accepted.

CISA's KEV listing on May 29 makes the federal-agency clock concrete: patch or mitigate by June 19, 2026 under Binding Operational Directive 22-01. Private-sector operators should treat that deadline as the floor, not the ceiling.

Action checklist

  1. Patch. Apply the fixed PAN-OS release for your branch as listed in the vendor advisory at security.paloaltonetworks.com/CVE-2026-0257. Do not infer version numbers from third-party writeups — pull them directly from the advisory matrix.
  2. If you can't patch in the window, mitigate. Either disable the authentication-override feature in the GlobalProtect portal/gateway configuration, or generate a dedicated certificate used exclusively for override-cookie encryption and stop sharing the HTTPS-service cert with that role. Either change closes the forgery path.
  3. Hunt for the two known exploitation patterns. Look in your GlobalProtect logs for cookie-authenticated sessions to local admin accounts that did not come from a prior interactive authentication. Compare source IPs against Vultr and Dromatics Systems ranges for the May 17–21 window.
  4. Assume compromise where IP-pool assignments completed. A successful cookie forge that resulted in a VPN IP grant means routed access into your network — treat the affected firewall and any internal hosts the attacker could reach as compromised until proven otherwise. Rotate VPN secrets, sweep for lateral-movement artifacts, force re-authentication.
  5. Inventory shared-certificate configurations across your fleet. Even if you patch, the override-cookie + shared-cert pattern is a fragile design choice. Audit and split certs by role.

Context

This is the third year in a row that a GlobalProtect-side flaw has landed in the KEV inside its first month of disclosure. The pattern — perimeter VPN appliance, cookie or token forgery, no prior auth needed — has produced the most consequential intrusions of the past 24 months across the perimeter-device category. Treat any internet-exposed VPN concentrator as a tier-zero asset and keep the patch path rehearsed; the next one is usually six weeks away.

Related stories