top of page

PAN-OS GlobalProtect Authentication Bypass Vulnerability Under Active Exploitation in the Wild

  • May 30
  • 3 min read

Key Findings


  • CVE-2026-0257 is an authentication bypass vulnerability actively exploited in the wild against Palo Alto Networks PAN-OS appliances

  • Threat actors can forge valid VPN authentication cookies without credentials if specific certificate configurations exist

  • CISA added this flaw to the Known Exploited Vulnerabilities catalog due to active exploitation campaigns

  • A single threat actor orchestrated at least two waves of attacks starting May 17, 2026, successfully obtaining internal network access in some cases

  • Immediate patching is required as standard monitoring tools may miss the exploitation

  • Emergency mitigations available for organizations unable to patch immediately


Background


The vulnerability impacts enterprise perimeter networks globally, specifically targeting Palo Alto Networks appliances running GlobalProtect VPN gateway configurations. Organizations relying on these appliances for remote access authentication are currently at risk. The flaw was first disclosed on May 13, 2026, but active exploitation began shortly thereafter, prompting urgent attention from federal authorities and security vendors alike.


Understanding the Authentication Override Mechanism


GlobalProtect portals and gateways include a feature designed to streamline user login experiences. This functionality allows the appliance to issue authentication cookies to verified users, enabling them to maintain VPN sessions without repeatedly entering credentials. The system uses token-based authentication where users receive encrypted cookies for subsequent connections.


The Critical Validation Gap


The underlying vulnerability stems from improper validation in the token processing logic. When the appliance receives an authentication cookie, it base64-decodes the token and decrypts it using a private key. However, the system implicitly trusts the decrypted content without performing any cryptographic signature verification. This means an attacker can forge functional tokens if they possess the correct key parameters.


Certificate Management Failures Enable Exploitation


The exploitation chain depends on poor certificate management practices. The vulnerability primarily affects devices that reuse their primary portal certificate across multiple network functions. When organizations share this certificate with the public HTTPS service, attackers can easily extract the public key parameters. Armed with this information, adversaries can construct encrypted cookies that the appliance will accept as legitimate.


How Attackers Forge Valid Cookies


Once an attacker obtains the public key, they can encrypt arbitrary authentication tokens without possessing valid credentials. The appliance receives these forged cookies server-side and processes them as legitimate authentication tokens. This grants unauthorized VPN access, completely bypassing the intended security controls and allowing attackers to establish connections as if they were authenticated users.


Documented Attack Campaigns


Security researchers identified multiple exploitation waves targeting vulnerable organizations. The first wave began on May 17, 2026, using infrastructure from Vultr hosting provider. Attackers probed multiple targets to identify vulnerable configurations. A second wave occurred on May 21 using different hosting infrastructure through Dromatics Systems.


Attributing the Threat Actor


Despite using different hosting providers across the two campaigns, investigators discovered consistent digital fingerprints linking both attack waves to a single threat group. The connection between campaigns suggests a coordinated operation rather than unrelated attackers independently discovering the flaw.


Successful Exploitation Outcomes


In the second wave, attackers successfully moved beyond initial access. After forging authentication cookies, they received VPN IP assignments from compromised appliances. This granted them legitimate network presence inside affected organization perimeters. Forensic analysis showed no immediate follow-on activity in all cases, but the capability to access internal networks represents significant risk.


Urgent Patching Requirements


Organizations cannot delay infrastructure updates given the active exploitation. Standard network monitoring tools often fail to detect anomalies in cookie validation processes, leaving organizations blind to compromise. Palo Alto Networks released vendor-supplied patches that address the validation gap and must be applied on an urgent basis to all affected appliances.


Emergency Configuration Mitigations


For organizations unable to patch immediately, temporary workarounds provide protection. Administrators can completely disable the authentication override feature through the portal configuration dashboard. Alternatively, engineers can generate a unique certificate used exclusively for cookie management, preventing attackers from extracting key parameters from the public HTTPS service. These precautions will eliminate the attack vector until patches can be deployed.


Sources


  • https://securityonline.info/pan-os-authentication-bypass-flaw-exploited/

  • https://thehackernews.com/2026/05/pan-os-globalprotect-authentication.html

  • https://x.com/the_yellow_fall/status/2060535565154742578

  • https://www.cryptika.com/palo-alto-networks-pan-os-authentication-vulnerability-bypass-exploited-in-the-wild

  • https://x.com/The_Cyber_News/status/2060556972253131206

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page