PAN-OS GlobalProtect Auth Bypass CVE-2026-0257 Exploited

by

PAN-OS GlobalProtect Authentication Bypass CVE-2026-0257 Is Being Actively Exploited Right Now

A confirmed, in-progress attack campaign is targeting enterprise VPN infrastructure globally, and Canadian organizations are directly in the line of fire. Palo Alto Networks has confirmed that CVE-2026-0257, a PAN-OS GlobalProtect authentication bypass flaw carrying a CVSS score of 7.8, is under active exploitation. Though formally classified as medium severity by the scoring framework, security researchers are urging all affected organizations to treat it with critical-level urgency. If your organization is running Palo Alto Networks firewalls with GlobalProtect enabled, stop reading after this paragraph and go check your configuration.

What CVE-2026-0257 Is and Why It Is Dangerous

The vulnerability lives inside the GlobalProtect portal and gateway components of PAN-OS software and Prisma Access. Under specific non-default configuration conditions, a remote, unauthenticated attacker can completely bypass authentication controls and establish a fully authorized VPN session without supplying any valid credentials.

Three conditions must align for a system to be vulnerable:

  • The GlobalProtect portal or gateway has the authentication override cookie feature enabled
  • The certificate used to encrypt and decrypt those authentication override cookies is shared with another feature on the same device, such as the HTTPS service of the portal or gateway itself
  • The Cloud Authentication Service (CAS) is disabled on the device

Authentication override cookies work similarly to bearer tokens in web applications. After a legitimate user authenticates, the system issues them a cookie that allows seamless reconnection without repeating full credential verification. The vulnerability arises from the exposure of the encryption certificate for those cookies through the device’s HTTPS interface.

Because the HTTPS service makes the server’s public key available to anyone who connects to it, an attacker can retrieve that public key without any credentials. Rapid7’s technical analysis of the vulnerability confirmed that the GlobalProtect service decrypts incoming authentication cookies using an RSA private key but performs no signature verification on the decrypted content. This means anyone possessing the corresponding public key can forge a structurally valid authentication cookie. The server accepts the forged cookie, and the attacker is granted a VPN session as if they were a legitimate, pre-authenticated user.

Two Waves of Active Exploitation Confirmed

On May 18, 2026, Rapid7’s Managed Detection and Response (MDR) team flagged suspicious activity across multiple customer environments after a “Suspicious VPN Authentication” alert fired. The earliest confirmed exploitation dates back to May 17. The initial wave originated from the cloud hosting provider Vultr, with the attacker’s source IP 104.207.144.154 authenticating to the local admin account via forged cookie across multiple targets simultaneously.

A second, distinct exploitation wave struck on May 21, 2026, this time routed through the hosting provider Dromatics Systems, with source IPs including 146.19.216.119, 146.19.216.120, and 146.19.216.125. Both waves share a consistent spoofed MAC address of aa:bb:cc:dd:ee:ff, leading Rapid7 analysts to assess both campaigns as the work of a single unidentified threat actor. Machine names observed in GlobalProtect logs during the attacks include GP-CLIENT (Linux, first wave) and DESKTOP-GP01 (Windows, second wave).

In two impacted environments during the second wave, the attacker’s forged cookie not only succeeded in authenticating but also triggered a full VPN IP assignment, providing direct network-layer access to the internal environment. Rapid7 observed no confirmed lateral movement in any affected customer environment as of publication, though the investigation is ongoing. Across 8 of 10 impacted MDR customers, the attacker’s forged cookie was accepted without a full VPN session being established.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog on May 29, 2026, with a June 19, 2026, remediation deadline for covered federal civilian systems under Binding Operational Directive 22-01.

Affected PAN-OS and Prisma Access Versions

Palo Alto Networks has confirmed the following versions are vulnerable when the configuration conditions described above are present:

PAN-OS 12.1 — all versions below 12.1.4-h6 and below 12.1.7 PAN-OS 11.2 — all versions below 11.2.4-h17, 11.2.7-h14, 11.2.10-h7, and 11.2.12 PAN-OS 11.1 — all versions below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15 PAN-OS 10.2 — all versions below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6 Prisma Access 11.2.0 — all versions below 11.2.7-h13 Prisma Access 10.2.0 — all versions below 10.2.10-h36

Panorama and Cloud NGFW are confirmed unaffected. However, end-of-life versions, including PAN-OS 9.0, 9.1, and 10.0, are vulnerable and will not receive patches from Palo Alto Networks, leaving any organization still running those releases permanently and irreversibly exposed.

Canadian Impact: What This Means for Organizations in Canada

Palo Alto Networks’ next-generation firewalls are among the most widely deployed enterprise perimeter security platforms in Canada. Financial institutions, healthcare networks, federal and provincial government agencies, energy utilities, and post-secondary institutions all commonly rely on PAN-OS firewalls and GlobalProtect as their primary VPN gateway.

Any of those organizations running an exposed GlobalProtect configuration is at risk of unauthorized access to internal systems, potentially including systems housing personal health information, financial records, or sensitive government data.

Under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation, organizations are required to protect personal information with safeguards appropriate to the sensitivity of the data. A breach resulting from the exploitation of a publicly known, actively exploited vulnerability for which a patch exists would face serious scrutiny from the Office of the Privacy Commissioner of Canada (OPC) under mandatory breach-of-security-safeguards reporting obligations. The fact that CISA formally catalogued this vulnerability is effectively public notice that exploitation is confirmed, leaving no defensible window for inaction.

The Canadian Centre for Cyber Security (CCCS) had not published a formal advisory specific to CVE-2026-0257 at the time of publication. However, Canadian federal departments, Crown corporations, and critical infrastructure operators should treat CISA’s KEV listing as sufficient grounds for immediate remediation action, consistent with CCCS guidance on vulnerability management for high-risk flaws.

This campaign is also unfolding in parallel with a separate but related threat track. Arctic Wolf has reported sustained exploitation of CVE-2026-35616 (CVSS 9.1), a now-patched critical flaw in FortiClient Endpoint Management Server deployments, being used to deliver a credential-stealing malware family called EKZ Infostealer. Taken together, these two campaigns reflect a coordinated and sustained targeting of enterprise VPN and network perimeter products, making rapid perimeter hardening a top priority for Canadian security teams this week.

Mitigations: What to Do Before and After Patching

Patch to a Fixed PAN-OS Release

The only complete resolution is upgrading to a fixed PAN-OS version. Refer to Palo Alto Networks’ official advisory at security.paloaltonetworks.com/CVE-2026-0257 for the precise target versions applicable to your deployment. Prisma Access customers should verify their version against the thresholds listed above.

Interim Workarounds if Patching Is Not Immediately Possible

Palo Alto Networks has provided two temporary mitigations for organizations that cannot patch immediately:

  1. Disable the authentication override feature entirely within the GlobalProtect portal and gateway configuration
  2. Generate a new, dedicated certificate used exclusively for authentication override cookie encryption and decryption, ensuring that the certificate is not shared with any other feature or service on the device

These are stopgap measures only. They address the specific configuration condition that enables exploitation, but do not eliminate the underlying code flaw. Neither workaround should substitute for timely patching.

Rapid7 Labs has also released a public proof-of-concept detection script on GitHub under the CVE-2026-0257 identifier. Security teams can use this script to verify whether their specific GlobalProtect deployment is actually vulnerable under its current certificate configuration, providing an additional validation step before and after applying mitigations.

Key Takeaways

  • CVE-2026-0257 is a PAN-OS GlobalProtect authentication bypass rated CVSS 7.8, but security researchers classify it as critical, given confirmed in-progress exploitation across multiple organizations
  • Active exploitation began on May 17, 2026, followed by a second wave on May 21, with both campaigns attributed to a single threat actor based on consistent spoofed MAC address signatures
  • The attack mechanism involves forging authentication override cookies using the public key exposed through the GlobalProtect HTTPS service, requiring no credentials to execute
  • CISA added CVE-2026-0257 to the Known Exploited Vulnerabilities catalog on May 29, 2026, with a June 19, 2026, remediation deadline for U.S. federal agencies
  • Canadian organizations in financial services, healthcare, government, and energy sectors face direct network infiltration risk, with PIPEDA breach notification obligations triggered if personal data is accessed through unauthorized VPN sessions
  • End-of-life PAN-OS versions 9.0, 9.1, and 10.0 will receive no vendor patch, leaving those deployments permanently vulnerable
  • The parallel exploitation of CVE-2026-35616, delivering EKZ Infostealer via FortiClient EMS, confirms a sustained multi-vendor targeting of enterprise perimeter infrastructure

What You Should Do Now

  1. Inventory every PAN-OS and Prisma Access deployment across your environment and confirm the firmware version on each GlobalProtect portal and gateway immediately
  2. Audit your GlobalProtect configuration to determine whether authentication override cookies are enabled and, if so, whether the override certificate is shared with your HTTPS service
  3. Patch to a fixed PAN-OS release as defined in the Palo Alto Networks advisory, prioritizing any internet-facing GlobalProtect gateway before internal-only systems
  4. Apply interim mitigations if patching cannot begin within 24 hours: either disable authentication override or generate a dedicated certificate exclusively for that feature
  5. Block the known attacker IP addresses at your perimeter: 104.207.144.154 (Vultr); 146.19.216.119, 146.19.216.120, and 146.19.216.125 (Dromatics Systems)
  6. Search GlobalProtect authentication logs for cookie-based login events tied to the hostnames GP-CLIENT or DESKTOP-GP01, or any session logging a MAC address of aa:bb:cc:dd:ee:ff, and escalate any matches to your security operations team immediately
  7. Engage your legal and privacy counsel if you discover any unauthorized VPN sessions in your environment, as the PIPEDA mandatory breach notification framework requires reporting breaches that pose a real risk of significant harm to affected individuals

Leave a Comment