CVE-2026-0257 Fuels GlobalProtect Authentication Bypass Attacks

Red | Vulnerability

CVE-2026-0257 Security Advisory

Security Advisory · Active Exploitation

PAN-OS GlobalProtect
Authentication Bypass

Attackers can forge authentication cookies to access internal networks without valid credentials. Patches are available. Exploitation has been active since May 17, 2026.

Critical Actively Exploited CISA KEV Listed Patch Available

CVE ID

CVE-2026-0257

First seen

May 13, 2026

Exploitation began

May 17, 2026

CWE

CWE-565

Zero-day

Affected

PAN-OS 10.2–12.1 · Prisma Access 10.2, 11.2

How the attack works

Feature is on, but unguarded

GlobalProtect's authentication override feature lets users skip re-entering credentials by issuing encrypted cookies that act as bearer tokens. Off by default — but commonly enabled in production deployments.

Decrypted cookies are trusted blindly

When a cookie arrives at /ssl-vpn/login.esp, the appliance decrypts it — but never verifies a digital signature. Whatever the decrypted payload claims, the server accepts.

The encryption key is exposed publicly

In misconfigured deployments, the same certificate handles both HTTPS and cookie encryption. Its public key is visible during the standard TLS handshake — retrievable by anyone who connects.

Forged cookie grants full access

An attacker retrieves the public key, crafts a fake cookie, and submits it. The appliance accepts it as legitimate — sometimes granting a full VPN IP and access to internal resources. A public proof-of-concept exists.

Attack timeline

May 13

Vulnerability identified

CVE-2026-0257 first observed. Proof-of-concept exploit published publicly.

May 17

Active exploitation begins

First wave of attacks. Forged cookies used to authenticate as local admin accounts from Vultr-hosted infrastructure. Spoofed MAC aa:bb:cc:dd:ee observed across incidents.

May 21

Second wave

Second campaign from Dromatics Systems infrastructure. Same spoofed MAC. 8 of 10 affected MDR customers showed cookie-auth only; 2 received full VPN IP assignments. No confirmed lateral movement beyond the VPN layer.

What to do — in order of priority

Patch immediately

Apply the hotfix for your branch:

PAN-OS 10.210.2.7-h34 · 10.2.10-h36 · 10.2.13-h21 · 10.2.16-h7 · 10.2.18-h6
PAN-OS 11.111.1.4-h33 · 11.1.6-h32 · 11.1.7-h6 · 11.1.10-h25 · 11.1.13-h5 · 11.1.15
PAN-OS 11.211.2.4-h17 · 11.2.7-h14 · 11.2.10-h7 · 11.2.12
PAN-OS 12.112.1.4-h6 · 12.1.7
Prisma AccessBeing upgraded per schedule by Palo Alto Networks

After patching, GlobalProtect users will need to re-authenticate once due to cookie regeneration logic in the fix.

Can't patch yet? Isolate the certificate

Generate a dedicated certificate for cookie encryption/decryption only. Do not share it with the portal or gateway HTTPS service or any other feature. This removes the public-key exposure path.

Or disable the feature entirely

In the GlobalProtect portal and gateway config, uncheck both Generate cookie for authentication override and Accept cookie for authentication override. This removes the attack surface completely.

Audit your configuration

Navigate to Network → GlobalProtect → Portals → Agent Configuration → Authentication tab. Confirm whether cookie generation and acceptance are enabled, and whether the certificate is shared with the HTTPS service. Repeat for gateway settings.

Hunt for signs of compromise

Review GlobalProtect authentication logs for cookie-based logins to local admin accounts from unfamiliar IPs or hosting providers. Any such event is a confirmed compromise indicator requiring immediate incident response. Cross-reference the IoCs below.

Indicators of compromise

IP Addresses

104[.]207[.]144[.]154

146[.]19[.]216[.]119

146[.]19[.]216[.]120

146[.]19[.]216[.]125

Hostnames & MAC

GP-CLIENT

DESKTOP-GP01

Spoofed MAC: aa:bb:cc:dd:ee

MITRE ATT&CK

T1190