PAN-OS GlobalProtect Authentication Bypass Vulnerability Under Active Exploitation in the Wild
- May 30
- 3 min read
Key Findings
CVE-2026-0257 is an authentication bypass vulnerability actively exploited in the wild against Palo Alto Networks PAN-OS appliances
Threat actors can forge valid VPN authentication cookies without credentials if specific certificate configurations exist
CISA added this flaw to the Known Exploited Vulnerabilities catalog due to active exploitation campaigns
A single threat actor orchestrated at least two waves of attacks starting May 17, 2026, successfully obtaining internal network access in some cases
Immediate patching is required as standard monitoring tools may miss the exploitation
Emergency mitigations available for organizations unable to patch immediately
Background
The vulnerability impacts enterprise perimeter networks globally, specifically targeting Palo Alto Networks appliances running GlobalProtect VPN gateway configurations. Organizations relying on these appliances for remote access authentication are currently at risk. The flaw was first disclosed on May 13, 2026, but active exploitation began shortly thereafter, prompting urgent attention from federal authorities and security vendors alike.
Understanding the Authentication Override Mechanism
GlobalProtect portals and gateways include a feature designed to streamline user login experiences. This functionality allows the appliance to issue authentication cookies to verified users, enabling them to maintain VPN sessions without repeatedly entering credentials. The system uses token-based authentication where users receive encrypted cookies for subsequent connections.
The Critical Validation Gap
The underlying vulnerability stems from improper validation in the token processing logic. When the appliance receives an authentication cookie, it base64-decodes the token and decrypts it using a private key. However, the system implicitly trusts the decrypted content without performing any cryptographic signature verification. This means an attacker can forge functional tokens if they possess the correct key parameters.
Certificate Management Failures Enable Exploitation
The exploitation chain depends on poor certificate management practices. The vulnerability primarily affects devices that reuse their primary portal certificate across multiple network functions. When organizations share this certificate with the public HTTPS service, attackers can easily extract the public key parameters. Armed with this information, adversaries can construct encrypted cookies that the appliance will accept as legitimate.
How Attackers Forge Valid Cookies
Once an attacker obtains the public key, they can encrypt arbitrary authentication tokens without possessing valid credentials. The appliance receives these forged cookies server-side and processes them as legitimate authentication tokens. This grants unauthorized VPN access, completely bypassing the intended security controls and allowing attackers to establish connections as if they were authenticated users.
Documented Attack Campaigns
Security researchers identified multiple exploitation waves targeting vulnerable organizations. The first wave began on May 17, 2026, using infrastructure from Vultr hosting provider. Attackers probed multiple targets to identify vulnerable configurations. A second wave occurred on May 21 using different hosting infrastructure through Dromatics Systems.
Attributing the Threat Actor
Despite using different hosting providers across the two campaigns, investigators discovered consistent digital fingerprints linking both attack waves to a single threat group. The connection between campaigns suggests a coordinated operation rather than unrelated attackers independently discovering the flaw.
Successful Exploitation Outcomes
In the second wave, attackers successfully moved beyond initial access. After forging authentication cookies, they received VPN IP assignments from compromised appliances. This granted them legitimate network presence inside affected organization perimeters. Forensic analysis showed no immediate follow-on activity in all cases, but the capability to access internal networks represents significant risk.
Urgent Patching Requirements
Organizations cannot delay infrastructure updates given the active exploitation. Standard network monitoring tools often fail to detect anomalies in cookie validation processes, leaving organizations blind to compromise. Palo Alto Networks released vendor-supplied patches that address the validation gap and must be applied on an urgent basis to all affected appliances.
Emergency Configuration Mitigations
For organizations unable to patch immediately, temporary workarounds provide protection. Administrators can completely disable the authentication override feature through the portal configuration dashboard. Alternatively, engineers can generate a unique certificate used exclusively for cookie management, preventing attackers from extracting key parameters from the public HTTPS service. These precautions will eliminate the attack vector until patches can be deployed.
Sources
https://securityonline.info/pan-os-authentication-bypass-flaw-exploited/
https://thehackernews.com/2026/05/pan-os-globalprotect-authentication.html
https://x.com/the_yellow_fall/status/2060535565154742578
https://www.cryptika.com/palo-alto-networks-pan-os-authentication-vulnerability-bypass-exploited-in-the-wild
https://x.com/The_Cyber_News/status/2060556972253131206

Comments