Author: Rapid7
Published: May 29, 2026 (last updated June 3, 2026)
Source: https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/
Summary
Rapid7 reports active in-the-wild exploitation of CVE-2026-0257, an authentication bypass in the Palo Alto Networks PAN-OS GlobalProtect portal/gateway. The flaw stems from improper certificate handling in the authentication override feature: when the certificate used to encrypt authentication-override cookies is reused for other services (notably HTTPS), an attacker can recover the public key and forge valid cookies, because the cookie is decrypted and trusted with no signature verification. Disclosed on May 13, 2026, the vulnerability was being exploited by May 17, 2026, allowing unauthenticated attackers to establish VPN connections into internal networks. Palo Alto Networks raised the severity from CVSS 4.7 to 7.8 on May 29, 2026.
Technical Details
The GlobalProtect service accepts authentication override cookies via the portal-userauthcookie or portal-prelogonuserauthcookie form parameters in POST requests. According to Rapid7, the decryption routine performs no cryptographic signature verification after decrypting the cookie — the decrypted value is, in their words, “trusted implicitly.” The root cause is certificate reuse: when the same certificate that encrypts/decrypts the override cookies is also used for HTTPS or other features, its public key is exposed on the network.
The reported attack chain is: (1) retrieve the TLS certificate chain from the target’s HTTPS service; (2) extract the public key from a certificate in that chain; (3) forge an RSA-encrypted authentication override cookie impersonating a valid user; and (4) submit the forged cookie to the GlobalProtect service to authenticate. Rapid7 Labs published a proof-of-concept script demonstrating the technique.
CVE: CVE-2026-0257.
Affected: PAN-OS 12.1, 11.2, 11.1, and 10.2, and Prisma Access 11.2.0 and 10.2.0. Specific vulnerable and fixed version ranges are listed in a compatibility table within the vendor advisory; this summary does not reproduce those exact ranges.
Impact
An unauthenticated remote attacker can forge a valid authentication-override cookie and establish a VPN connection to the internal network behind an affected appliance, effectively bypassing GlobalProtect authentication. Because the affected devices are edge-facing VPN appliances, Rapid7 characterizes the issue as critical despite the vendor’s high (7.8) rating.
Observed exploitation, per Rapid7’s telemetry: earliest activity on May 17, 2026, with a first wave on May 18 (traffic attributed to Vultr hosting) and a second wave on May 21 (attributed to Dromatics Systems). Activity targeted local admin accounts, with VPN IP assignments granted after cookie authentication and POST requests to /ssl-vpn/hipreport.esp and /ssl-vpn/getconfig.esp. Reported indicators include a spoofed MAC address aa:bb:cc:dd:ee:ff and machine names “GP-CLIENT” (Linux) and “DESKTOP-GP01” (Windows). Rapid7 observed successful authentication in 8 of 10 impacted customers without full VPN sessions being established, and states it did not observe any successful lateral movement from the affected devices. Threat-actor IPs named in the report: 104.207.144.154; 146.19.216.119, 146.19.216.120, 146.19.216.125; 209.99.191.137; and 79.130.26.202.
Mitigation
Palo Alto Networks’ guidance, as relayed by Rapid7, is to either disable the authentication override feature, or generate a new certificate used exclusively for authentication-override encryption/decryption and not shared with HTTPS or any other feature. Patched releases are available for each affected PAN-OS major version (see the vendor advisory’s version table). Rapid7 notes detection coverage for MDR/InsightIDR customers and authenticated checks for Exposure Command/InsightVM users since its May 15 content release. Defenders should also review GlobalProtect logs for the indicators above.