A high-risk authentication bypass vulnerability in Palo Alto Networks PAN-OS GlobalProtect, tracked as CVE-2026-0257, is now being actively exploited in the wild.
Although Palo Alto Networks assigns the issue a CVSSv4 score of 7.8 / High, the risk should be treated as urgent because GlobalProtect appliances are internet-facing remote access systems and can provide attackers with a direct path into internal networks.
Technical Overview
CVE-2026-0257 affects the GlobalProtect authentication override feature. This feature allows a GlobalProtect portal or gateway to issue cookies to authenticated users so they can reconnect without fully re-authenticating each time.
This feature is not enabled by default, but when it is enabled with an unsafe certificate configuration, attackers may be able to forge valid authentication override cookies.
The issue stems from how PAN-OS handles encrypted authentication override cookies. GlobalProtect decrypts the incoming cookie and trusts the decrypted content without additional signature verification. If the same certificate is reused for both GlobalProtect HTTPS services and authentication override cookies, a remote attacker may be able to obtain the public certificate and use it to craft a forged cookie that the gateway accepts as valid.
This can allow attackers to authenticate to the GlobalProtect portal or gateway without valid credentials and potentially establish a VPN session into the internal network.
Affected Versions
The issue affects PAN-OS and Prisma Access versions running vulnerable GlobalProtect portal or gateway configurations. Palo Alto states that Panorama and Cloud NGFW are not impacted.
Affected branches include:
| Product | Vulnerable Versions | Fixed Versions |
| PAN-OS 12.1 | Below 12.1.4-h6 / below 12.1.7 | 12.1.4-h6 or later / 12.1.7 or later |
| PAN-OS 11.2 | Below 11.2.4-h17, 11.2.7-h14, 11.2.10-h7, 11.2.12 | Fixed releases listed by branch |
| PAN-OS 11.1 | Below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, 11.1.15 | Fixed releases listed by branch |
| PAN-OS 10.2 | Below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, 10.2.18-h6 | Fixed releases listed by branch |
| Prisma Access 11.2.0 | Below 11.2.7-h13 | 11.2.7-h13 or later |
| Prisma Access 10.2.0 | Below 10.2.10-h36 | 10.2.10-h36 or later |
Observed Threat Activity
Public threat reporting indicates that exploitation activity began as early as May 17, 2026, with attackers using forged authentication override cookies to authenticate to GlobalProtect gateways. In the first observed wave, the activity targeted local administrator accounts and was linked to infrastructure hosted by Vultr. A second wave was observed on May 21, 2026, originating from Dromatics Systems infrastructure.
CISA added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog on May 29, 2026, with a federal remediation due date of June 1, 2026.
Indicators of Compromise (IOCs)
Known indicators reported include:
| Indicator | Type | Notes |
| 104.207.144.154 | IP address | Threat actor source IP |
| 146.19.216.119 | IP address | Threat actor source IP |
| 146.19.216.120 | IP address | Threat actor source IP |
| 146.19.216.125 | IP address | Threat actor source IP |
| DESKTOP-GP01 | Hostname | Observed with Windows authentication activity |
| GP-CLIENT | Hostname | Observed with Linux authentication activity |
| aa:bb:cc:dd:ee:ff | MAC address | Spoofed MAC address observed in exploitation waves |
These indicators should be used as starting points for hunting, not as a complete detection strategy.
Recommended Actions
Organizations using Palo Alto Networks GlobalProtect should take immediate action:
Patch immediately
Upgrade affected PAN-OS and Prisma Access deployments to a fixed version based on the relevant release branch. Palo Alto states that users may need to re-authenticate once after the upgrade because the fix regenerates authentication override cookies using a more secure method.
Validate GlobalProtect configuration
Check whether authentication override cookies are enabled on GlobalProtect portals and gateways. Palo Alto provides configuration paths for reviewing “Generate cookie for authentication override” and “Accept cookie for authentication override” settings in the GlobalProtect portal and gateway management interface.
Apply mitigations if patching is delayed
If immediate patching is not possible, disable authentication override or generate a dedicated certificate exclusively for authentication override cookies. Palo Alto specifically warns against reusing the portal or gateway certificate for this feature.
Hunt for prior exploitation
Review GlobalProtect gateway-auth logs from at least May 17, 2026 onward for cookie-based logins, local admin authentication, suspicious source infrastructure, default hostnames, spoofed MAC addresses, and unexpected VPN IP assignments. Rapid7 observed exploitation beginning on May 17, with additional activity on May 21.
Review internal activity after suspicious VPN sessions
If suspicious VPN authentication is found, investigate downstream activity from the assigned VPN IP, including authentication attempts, internal scanning, privileged access, endpoint alerts, and lateral movement indicators.
Stay Safe. Stay Secure.
OP Innovate Research Team
