Full Report
Palo Alto Networks is warning that hackers are now exploiting a PAN-OS GlobalProtect authentication bypass flaw, tracked as CVE-2026-0257, in attacks attempting to breach corporate networks. [...]
Analysis Summary
# Vulnerability: PAN-OS GlobalProtect Authentication Bypass
## CVE Details
- **CVE ID:** CVE-2026-0257
- **CVSS Score:** High (Upgraded from Medium due to active exploitation)
- **CWE:** Improper Validation of Certificate Expiration or Trust (related to cookie signature validation gap)
## Affected Systems
- **Products:** Palo Alto Networks PAN-OS software.
- **Versions:** Affected versions include those released prior to the May 2026 security updates.
- **Configurations:**
- GlobalProtect portal and gateway must have **authentication override cookies** enabled.
- Devices must be configured using the same certificate for both HTTPS services and authentication override cookies.
## Vulnerability Description
The flaw exists in how PAN-OS validates authentication override cookies. The GlobalProtect device decrypts these cookies using a configured private key but fails to perform subsequent signature verification on the decrypted contents. Because the public key for the certificate is exposed via the HTTPS session (when the same certificate is reused), an attacker can obtain the public key and use it to craft a forged authentication override cookie. The device then trusts the contents of this forged cookie, allowing the attacker to impersonate arbitrary users, including administrators.
## Exploitation
- **Status:** Exploited in the wild (Added to CISA KEV on May 29, 2026).
- **Complexity:** Medium (Requires specific certificate configuration and forging of cookies).
- **Attack Vector:** Network.
- **PoC Available:** Yes (Developed by Rapid7 researchers).
## Impact
- **Confidentiality:** High (Unauthorized access to internal networks via VPN).
- **Integrity:** High (Potential for unauthorized VPN connections and session establishment).
- **Availability:** Low (Primary impact is unauthorized access rather than service disruption).
## Remediation
### Patches
- Organizations should install the latest PAN-OS security updates provided by Palo Alto Networks immediately. Users should refer to the official vendor advisory for the specific patched version numbers corresponding to their software branch.
### Workarounds
- **Disable Feature:** Turn off the "Authentication Override" feature in GlobalProtect settings.
- **Certificate Separation:** If the feature must remain enabled, use a unique certificate for authentication override cookies that is not shared with any other services (such as the HTTPS portal).
## Detection
- **Indicators of Compromise:**
- Log entries showing successful VPN authentication via cookies for the local administrator account or other unexpected users.
- Unusual authentication traffic originating from infrastructure associated with Vultr or Dromatics Systems (observed in May 2026).
- **Detection Methods:**
- Review GlobalProtect logs for high volumes of authentication override cookie usage.
- Monitor for successful authentications that do not align with standard user behavior or MFA patterns.
## References
- **Palo Alto Networks Advisory:** hxxps[://]security[.]paloaltonetworks[.]com/CVE-2026-0257
- **NVD Detail:** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2026-0257
- **Rapid7 Analysis:** hxxps[://]www[.]rapid7[.]com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/
- **CISA KEV Catalog:** hxxps[://]www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog