Full Report
Rapid7: Attackers exploit authentication bypass flaw in the wild, meaning more emergency patching for PAN-OS users
Analysis Summary
# Vulnerability: PAN-OS GlobalProtect Authentication Bypass
## CVE Details
- **CVE ID:** CVE-2026-0257
- **CVSS Score:** Revised to High/Critical (Initially reported as Medium)
- **CWE:** CWE-287 (Improper Authentication) / CWE-565 (Reliance on Cookies without Validation/Integrity Check)
## Affected Systems
- **Products:** Palo Alto Networks PAN-OS software.
- **Versions:** Deployments utilizing the GlobalProtect gateway. (Specific version numbers should be verified via the official Palo Alto Networks security portal hxxps://security[.]paloaltonetworks[.]com).
- **Configurations:** Systems using **GlobalProtect authentication override cookies**, particularly where the same certificate is used for both HTTPS services and authentication override cookies.
## Vulnerability Description
The flaw resides in how PAN-OS validates authentication override cookies. In specific configurations, the system fails to properly verify the integrity or origin of the cookie. This allow attackers to generate their own "fake" cookies. If the firewall is configured to use the same certificate for HTTPS services and cookie signing, an attacker can obtain the necessary information to craft a convincing cookie that the system trusts as a legitimate, pre-authenticated session.
## Exploitation
- **Status:** **Exploited in the wild.** Rapid7 confirmed successul exploitation in multiple customer environments starting around May 17.
- **Complexity:** Medium (Requires specific configuration knowledge and certificate information).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Unauthorized access to internal corporate networks).
- **Integrity:** High (Potential to bypass security controls and establish unauthorized sessions).
- **Availability:** Low (Primary impact is unauthorized access rather than service disruption).
## Remediation
### Patches
- Palo Alto Networks has released updated versions of PAN-OS for all supported releases. Users are advised to upgrade to the latest maintenance release for their specific branch (e.g., 10.1.x, 10.2.x, 11.0.x, 11.1.x).
### Workarounds
- Ensure that different certificates are used for the SSL/TLS service and the Authentication Override feature.
- Disable the "Authentication Override" feature in GlobalProtect portal/gateway settings if patching cannot be performed immediately.
## Detection
- **Indicators of Compromise:** Monitor for unusual VPN sessions established without corresponding authentication logs or logs showing session reuse from unexpected geographic locations.
- **Detection methods and tools:**
- Review PAN-OS system/traffic logs for sessions authenticated via "Override Cookie."
- Check for multiple IP addresses associated with a single username in a short timeframe.
- CISA has added this to the Known Exploited Vulnerabilities (KEV) catalog.
## References
- Palo Alto Networks Security Advisory: [hxxps://security[.]paloaltonetworks[.]com/CVE-2026-0257]
- Rapid7 Analysis: [hxxps://www[.]rapid7[.]com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/]
- CISA KEV Catalog: [hxxps://www[.]cisa[.]gov/known-exploited-vulnerabilities-catalog]