Platform
Arbis AI
Solutions
About
Book a Demo
Dropdown

CVE-2026-0257 Fuels GlobalProtect Authentication Bypass Attacks

Red | Vulnerability
Download Now
CVE-2026-0257: PAN-OS GlobalProtect Authentication Bypass | Threat Advisory TA2026149
HiveForce Labs  ·  Threat Advisory  ·  Vulnerability Report

CVE-2026-0257 Fuels GlobalProtect Authentication Bypass Attacks

Palo Alto Networks has confirmed active exploitation of CVE-2026-0257, a critical authentication bypass vulnerability in PAN-OS and Prisma Access affecting the GlobalProtect portal and gateway when the authentication override cookie feature is enabled. Attackers forge trusted authentication cookies — requiring no valid credentials — to gain unauthorized access to internal networks via VPN. Exploitation was observed across multiple MDR customer environments beginning May 17, 2026, with proof-of-concept code publicly available. Patch all affected PAN-OS and Prisma Access versions immediately.

⚠ THREAT LEVEL: RED  ·  ACTIVELY EXPLOITED IN THE WILD (May 17 & May 21, 2026)  ·  ZERO-DAY: NO  ·  CISA KEV: YES  ·  PATCH AVAILABLE: YES  ·  PUBLIC PoC EXISTS  ·  NO CREDENTIALS REQUIRED FOR EXPLOITATION
⚠ Threat Level: Red CVE-2026-0257 Auth Bypass · Cookie Forgery CWE-565 · Cookie without HMAC Actively Exploited · CISA KEV Listed PAN-OS 10.2 / 11.1 / 11.2 / 12.1 · Prisma Access 10.2 / 11.2 Patch Available: All Branches First Seen: May 13, 2026 Published: June 02, 2026
CVE ID
CVE-2026-0257
TA Number
TA2026149
Threat Level
Red
CISA KEV
Yes
CWE
CWE-565
Zero-Day
No
Attack Vector
Remote · No Auth
First Seen
May 13, 2026
Admiralty Code
A1
First Seen
May 13, 2026
CVE-2026-0257 first identified affecting PAN-OS GlobalProtect authentication override cookie feature
Wave 1 — Active Exploitation
May 17, 2026
Attackers used forged cookies to access local administrator accounts from Vultr-hosted infrastructure; spoofed MAC aa:bb:cc:dd:ee
Wave 2 — Second Campaign
May 21, 2026
Second exploitation wave from Dromatics Systems infrastructure; same spoofed MAC pattern observed; 8/10 MDR environments compromised via cookie-only auth
01 — Overview

Summary

Palo Alto Networks has confirmed that CVE-2026-0257 — a critical authentication bypass vulnerability affecting PAN-OS GlobalProtect portal and gateway components — is being actively exploited across multiple organizations. The flaw is triggered when the authentication override cookie feature is enabled, a non-default configuration requiring manual activation. When deployed incorrectly, this feature allows attackers to forge encrypted authentication cookies that PAN-OS accepts as legitimate, granting full VPN access without requiring valid user credentials.

The vulnerability stems from a fundamental design flaw classified under CWE-565 (Reliance on Cookies without Validation and Integrity Checking): the GlobalProtect appliance decrypts submitted authentication override cookies and automatically trusts the resulting content without performing any digital signature verification or integrity check. When administrators reuse the HTTPS service certificate for cookie encryption — exposing the public key during TLS handshakes — an attacker can trivially retrieve that key and craft fully accepted forged cookies. A public proof-of-concept exploit has been demonstrated.

Active exploitation was confirmed in two distinct waves beginning May 17, 2026, with attackers successfully authenticating to local administrator accounts across MDR customer environments using forged cookies. Both campaigns shared the spoofed MAC address aa:bb:cc:dd:ee, indicating a common operational playbook. In 8 of 10 affected environments, authentication succeeded without even establishing a complete VPN session; in the remaining cases, VPN IP addresses were assigned, providing direct internal network access.

02 — CVE Reference

CVE Details

CVE ID Vulnerability Name Affected Products Affected CPE CWE ID Zero-Day CISA KEV Patch
CVE-2026-0257 Palo Alto Networks PAN-OS Authentication Bypass Vulnerability Palo Alto Networks PAN-OS / Prisma Access (GlobalProtect with auth override cookies enabled) cpe:2.3:o:paloaltonetworks:panos:*:*:*:*:*:*:*:* CWE-565 ✗ No ✓ Yes ✓ Yes
03 — Technical Analysis

Vulnerability Details

The four stages below document the complete technical anatomy of CVE-2026-0257 — from the authentication override cookie design flaw through the public certificate exploitation path and the confirmed active exploitation campaigns observed across MDR environments.

#1
Authentication Override Cookie Feature — Bearer Token Abuse in GlobalProtect
CVE-2026-0257 is a critical authentication bypass affecting the GlobalProtect portal and gateway components of Palo Alto Networks PAN-OS and Prisma Access. The flaw activates only when the authentication override cookie feature is enabled — a non-default setting requiring manual configuration. This feature allows authenticated users to receive encrypted cookies reusable in place of credentials, effectively functioning as bearer tokens. When deployed incorrectly, this convenience feature creates a serious, remotely exploitable attack surface.
#2
Root Cause — No Integrity Check After Cookie Decryption (CWE-565)
The vulnerability stems from how GlobalProtect processes authentication override cookies. When a request containing a portal-userauthcookie or portal-prelogonuserauthcookie value is submitted to the /ssl-vpn/login.esp endpoint, the appliance decrypts the supplied cookie and automatically trusts the resulting content. Critically, after decryption the cookie's authenticity is never verified through a digital signature or integrity check — classified as CWE-565. This design flaw allows any attacker with access to the public encryption key to generate a forged cookie that the appliance accepts as legitimate.
#3
Exploitation Path — Public TLS Certificate Key Retrieval Enables Cookie Forgery
Exploitation becomes particularly straightforward when administrators configure the appliance to reuse the same HTTPS service certificate for authentication override cookie encryption and decryption. Because the certificate's public key is exposed during the normal TLS handshake process, an attacker can easily retrieve it from the appliance. Using this public key, a malicious actor can craft forged authentication cookies and submit them to the GlobalProtect portal or gateway. If the correct key is used, the appliance accepts the forged cookie, grants authentication without valid credentials, and in some deployments assigns a VPN IP address providing direct access to internal network resources. This attack path has been publicly demonstrated via a proof-of-concept exploit.
#4
Active Exploitation — Two Attack Waves, Spoofed MAC aa:bb:cc:dd:ee, 8/10 MDR Environments Compromised
Active exploitation was confirmed on May 17, 2026 when attackers used forged authentication cookies to access local administrator accounts from Vultr-hosted infrastructure. A second exploitation wave followed on May 21, 2026 from Dromatics Systems infrastructure. Investigators observed that both campaigns used the spoofed MAC address aa:bb:cc:dd:ee, indicating a shared operational pattern. In 8 out of 10 affected MDR customer environments, attackers successfully authenticated using forged cookies without establishing a complete VPN session. The remaining 2 incidents resulted in VPN IP address assignments, providing direct internal network access. No confirmed lateral movement beyond VPN appliances was observed, though the active weaponization of this flaw presents serious risk to exposed GlobalProtect deployments.
04 — Patch Versions

Affected & Fixed Versions

Palo Alto Networks has released patched builds across all affected PAN-OS branches. Apply the appropriate fixed version for your deployment immediately.

Product Branch Fixed Versions (upgrade to one of the following)
PAN-OS 10.2 10.2.7-h34  ·  10.2.10-h36  ·  10.2.13-h21  ·  10.2.16-h7  ·  10.2.18-h6
PAN-OS 11.1 11.1.4-h33  ·  11.1.6-h32  ·  11.1.7-h6  ·  11.1.10-h25  ·  11.1.13-h5  ·  11.1.15
PAN-OS 11.2 11.2.4-h17  ·  11.2.7-h14  ·  11.2.10-h7  ·  11.2.12
PAN-OS 12.1 12.1.4-h6  ·  12.1.7
Prisma Access 10.2 10.2.10-h36 — Prisma Access customers being actively upgraded per schedule
Prisma Access 11.2 11.2.7-h13 — Prisma Access customers being actively upgraded per schedule
05 — Mitigations

Recommendations

The following mitigations must be applied immediately to all PAN-OS and Prisma Access deployments with GlobalProtect authentication override cookies enabled. Patching is the only complete remediation for CVE-2026-0257; all other measures reduce exploitability in the interim only.

01
Apply Vendor Patches Immediately — One-Time Re-Authentication Required Post-Upgrade
Palo Alto Networks has released patched versions across all affected PAN-OS branches. Upgrade immediately to the appropriate fixed version for your branch (see the Affected & Fixed Versions table above). Prisma Access customers on versions 10.2 and 11.2 are being actively upgraded per schedule. Note: following the upgrade, GlobalProtect users will be required to re-authenticate once as a one-time consequence of the cookie regeneration logic introduced in the fix.
02
Apply Immediate Workarounds if Patching Cannot Be Done Immediately
Two vendor-recommended interim mitigations are available. Option A: generate a new certificate dedicated exclusively to authentication override cookie encryption and decryption, ensuring it is not shared with the portal or gateway HTTPS service or any other feature — this prevents attackers from retrieving the encryption key via the TLS handshake. Option B (more decisive): disable the authentication override feature entirely by unchecking the "Generate cookie for authentication override" and "Accept cookie for authentication override" options in both the GlobalProtect portal and gateway configuration. Either workaround substantially reduces exploitability until the patched version is deployed.
03
Audit GlobalProtect Configuration for Authentication Override Cookie Exposure
Administrators must audit GlobalProtect portal and gateway configurations to determine whether authentication override cookies are enabled and whether the relevant certificate is shared with the HTTPS service. On the portal, navigate to Network > GlobalProtect > Portals, select the Agent Configuration profile, and review the Authentication tab for the "Generate cookie for authentication override" and "Accept cookie for authentication override" options. On the gateway, check the Authentication Override tab within the Client Settings profile under the Agent tab. Any environment with both options enabled and the HTTPS certificate shared must be treated as actively at risk.
04
Hunt for Signs of Active Exploitation in Authentication Logs
Review GlobalProtect authentication logs for cookie-based authentications to local administrator accounts, particularly those originating from unfamiliar source IPs or hosting provider ranges (e.g., Vultr, Dromatics Systems). Look for the spoofed MAC address aa:bb:cc:dd:ee in connection records as a strong indicator of campaign activity. Treat any successful cookie authentication event from atypical or external infrastructure as a confirmed compromise indicator requiring immediate incident response activation — do not wait for additional confirmation before escalating.
06 — Threat Intelligence

Indicators of Compromise (IoCs)

The following indicators are associated with active exploitation of CVE-2026-0257 in Palo Alto Networks PAN-OS GlobalProtect environments. Block these at the network perimeter and correlate against authentication logs immediately.

Type Value
IPv4 104[.]207[.]144[.]154
146[.]19[.]216[.]119
146[.]19[.]216[.]120
146[.]19[.]216[.]125
Hostname GP-CLIENT
DESKTOP-GP01
Spoofed MAC aa:bb:cc:dd:ee — observed in both May 17 and May 21 exploitation waves; shared operational pattern indicator
07 — MITRE ATT&CK Framework

MITRE ATT&CK TTPs

The following MITRE ATT&CK tactics, techniques, and sub-techniques are associated with the active exploitation of CVE-2026-0257 against Palo Alto Networks PAN-OS GlobalProtect deployments.

Tactic Technique ID Sub-technique ID Description
Initial Access T1190 Exploit Public-Facing Application — unauthenticated exploitation of GlobalProtect portal and gateway via forged authentication override cookies submitted to /ssl-vpn/login.esp
Defense Evasion T1550 T1550.004 — Web Session Cookie Use Alternate Authentication Material — forged portal-userauthcookie and portal-prelogonuserauthcookie values submitted to bypass credential-based authentication entirely; appliance accepts without integrity verification
Lateral Movement T1021 T1021.005 — VPN Remote Services — in incidents where VPN IP addresses were assigned after successful cookie-based authentication, attackers gained direct access to internal network resources via the GlobalProtect VPN infrastructure
Resource Development T1588 T1588.006 — Vulnerabilities Obtain Capabilities — attackers weaponized the publicly disclosed CVE-2026-0257 vulnerability and publicly available proof-of-concept exploit code to operationalize cookie forgery attacks across multiple MDR customer environments
08 — Patch Resource

Patch Link

09 — Sources

References

Report Generated: June 02, 2026  ·  08:50 AM
TA Number: TA2026149  ·  Admiralty Code: A1  ·  Threat Level: Red
© 2026 All Rights Reserved by Hive Pro  ·  www.hivepro.com
HiveForce Labs
Threat Advisory · Vulnerability Report
CVE-2026-0257 · PAN-OS GlobalProtect Auth Bypass
hive pro logo
Agentic AI for Exposure Management. Security operations that think, prioritize, and act autonomously.
twitterLinkdeinYoutubeEmail
Resources
Threat Advisories
Threat Digests
Solutions
Total Attack Surface Management
Multi-Environment Security Scanners
Complete Exposure Assessment
Comprehensive Security Intelligence
Vulnerability & Threat Prioritization
Adversarial Exposure Validation
Product
Platform
Arbis AI
Integrations
© 2026
Hive Pro.
All rights reserved.
Privacy Policy