top of page

Palo Alto Warns of Active Exploitation of PAN-OS GlobalProtect VPN Bypass Flaw (CVE-2026-0257)

  • Jun 15
  • 3 min read

Key Findings


  • CVE-2026-0257 is an authentication bypass vulnerability in Palo Alto Networks PAN-OS affecting GlobalProtect portals and gateways

  • Active exploitation confirmed by Rapid7 starting May 17, 2026, with two distinct attack waves originating from different hosting providers

  • Vulnerability allows attackers to forge authentication cookies and bypass VPN access controls without credentials

  • CISA added the flaw to its Known Exploited Vulnerabilities catalog in early June, requiring federal agencies to patch by June 1

  • Successful exploitation requires a specific misconfiguration where the HTTPS certificate is shared with the cookie encryption feature

  • Limited post-exploitation activity observed; only a small portion of targeted devices successfully established VPN sessions


Background


Palo Alto Networks addressed CVE-2026-0257 on May 13, 2026. Two weeks later, Rapid7 confirmed active exploitation across multiple customer environments. The vulnerability affects the GlobalProtect portal and gateway components of PAN-OS software but does not impact Panorama or Cloud NGFW deployments. The flaw carries a CVSS score of 7.8 and was initially rated as medium severity by Palo Alto, though security researchers argued the rating was too low for an internet-facing enterprise VPN appliance.


Technical Details of the Vulnerability


The core issue stems from how PAN-OS handles cookie encryption and validation. If organizations use the same certificate for both HTTPS service and cookie encryption—a common misconfiguration—attackers can extract the public key directly from the HTTPS session. With this key, an attacker can craft a valid authentication cookie for any user, including the local admin account. The device accepts the forged cookie without any signature verification or credential validation.


Rapid7 published a proof-of-concept script demonstrating the attack, which takes only seconds to execute against a vulnerable appliance. The attack works by retrieving the certificate chain, iterating through each certificate, forging a cookie, and testing it against the target.


Attack Timeline and Campaigns


The first wave of exploitation occurred on May 18 at 01:51 UTC, originating from infrastructure hosted by Vultr. Attackers used the hostname "GP-CLIENT" on a Linux system and a spoofed MAC address of aa:bb:cc:dd:ee:ff while targeting the local admin account across several customer environments.


A second wave followed on May 21 from Dromatics Systems, using the hostname "DESKTOP-GP01" and the same spoofed MAC address. The consistent MAC address across both waves led Rapid7 to assess that a single threat actor orchestrated both campaigns. In this second wave, some victims received VPN IP assignments after cookie authentication succeeded, granting attackers access to internal networks.


Scope of Impact


Rapid7 MDR identified successful exploitation across numerous customers but observed no indication of successful lateral movement from the compromised devices. Notably, in 8 out of 10 impacted customers, the appliance accepted the forged cookie without establishing a full VPN session. Why complete exploitation succeeded for some victims but not others remains unclear.


Organizations are only vulnerable if they have disabled Cloud Authentication Service and enabled authentication override cookies with the cookie certificate shared with the HTTPS service. If your configuration doesn't match this description, you are not exposed.


Indicators of Compromise


The threat actor used several IP addresses during the campaigns: 23.128.228.6, 104.207.144.154, 146.19.216.119, 146.19.216.120, 146.19.216.125, 179.43.172.213, 185.195.232.139, 198.12.106.60, and 202.144.192.47. Hostnames and spoofed MAC addresses included GP-CLIENT, DESKTOP-GP01, WINDOWS-LAPTOP-001, aa:bb:cc:dd:ee:ff, and 00:11:22:33:44:55.


Remediation and Recommendations


Organizations should immediately upgrade to a patched PAN-OS version if their appliances match the vulnerable configuration. As a stopgap measure, either disable the authentication override feature entirely or generate a dedicated certificate used only for cookie encryption. Rapid7 published a public proof-of-concept script on GitHub that organizations can use to test whether their appliances are vulnerable. Administrators should search GlobalProtect logs for successful gateway-connected events with hard-coded client configuration values including endpoint OS version of Windows 10 Pro 64-bit and empty source user info domain.


CISA ordered Federal Civilian Executive Branch agencies to mitigate the flaw by June 1, 2026.


Sources


  • https://securityaffairs.com/193638/security/palo-alto-warns-of-exploitation-of-vpn-bypass-exploits-cve-2026-0257-in-pan-os-flaw.html

  • https://thehackernews.com/2026/06/palo-alto-warns-of-active-exploitation.html

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page