Unpacking CVE-2026–0257: The GlobalProtect Authentication Bypass Under Active Exploitation

In the ever-evolving landscape of cloud and network security, few things raise alarms quite like an actively exploited vulnerability in an enterprise edge device. On May 13, 2026, Palo Alto Networks published a security advisory for CVE-2026–0257, an authentication bypass vulnerability affecting PAN-OS GlobalProtect portals and gateways.

Initially scored at a medium severity of 4.7, the situation rapidly escalated. By May 29, the CVSS score was bumped to 7.8 (High), and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added it to their Known Exploited Vulnerabilities (KEV) catalog with a remediation deadline of June 1, 2026.

If you are responsible for securing cloud workloads or managing enterprise network perimeters, this is a vulnerability that demands immediate attention. Here is a deep dive into what CVE-2026–0257 is, how it is being exploited in the wild, and what you must do to secure your infrastructure.

The Core Issue: Implicit Trust in Decrypted Cookies

To understand CVE-2026–0257, we need to look at a specific feature within GlobalProtect called Authentication Override.

Authentication override is designed to improve user experience. When a user successfully authenticates to a GlobalProtect portal or gateway, the system can issue them an encrypted cookie. In future sessions, the user can present this cookie in lieu of entering credentials again — functioning much like a bearer token.

The vulnerability lies in how PAN-OS handles this cookie upon its return. According to a detailed technical analysis by Rapid7, the GlobalProtect service decrypts the incoming base64-encoded cookie using a private key. However, once decrypted, the contents are trusted implicitly without any cryptographic signature verification or integrity checking. This is classified under CWE-565: Reliance on Cookies without Validation and Integrity Checking.

The Attack Vector

Because there is no integrity check after decryption, if an attacker can figure out how to properly encrypt a forged cookie, the GlobalProtect gateway will accept it without question. But how does an attacker obtain the encryption key?

This brings us to the critical configuration prerequisite. Palo Alto Networks explicitly warns against reusing the portal or gateway certificate for other features. If an administrator uses the same certificate for both the GlobalProtect HTTPS service and the Authentication Override cookie encryption, the public key is exposed during the standard TLS handshake.

An unauthenticated remote attacker can then:

1. Connect to the HTTPS service and extract the public key from the certificate chain.
2. Forge a cookie containing arbitrary user data (such as the admin username).
3. Encrypt the forged cookie using the extracted public key.
4. Submit the forged cookie to the /ssl-vpn/login.esp endpoint.

Because the gateway successfully decrypts it and performs no further validation, the attacker bypasses authentication entirely and can establish a VPN connection into the corporate network.

Active Exploitation in the Wild

This is not a theoretical exercise. Threat actors have been actively exploiting this flaw since at least May 17, 2026.

Rapid7's Managed Detection and Response (MDR) team identified successful exploitation across numerous customer environments. The attacks came in two distinct waves:

Attackers utilized forged cookies to authenticate as local admin accounts. In their probes, they used spoofed MAC addresses (e.g., aa:bb:cc:dd:ee:ff) and generic hostnames like GP-CLIENT or WINDOWS-LAPTOP-001.

"In this wave of exploitation, Rapid7 observed VPN IP assignment following the cookie authentication, granting them access to the internal network. Rapid7 observed POST requests to /ssl-vpn/hipreport.esp and /ssl-vpn/getconfig.esp in the cases where a VPN tunnel was successfully established."

• Rapid7 Technical Analysis

While many of the observed attempts resulted only in the appliance accepting the cookie without establishing a full VPN tunnel, several instances did result in successful IP assignment — granting the attacker a direct foothold into the internal network. Notably, no lateral movement was observed post-exploitation in the environments Rapid7 monitored, suggesting the attackers may have been in a reconnaissance phase.

Unit 42 published a comprehensive threat brief on June 9, 2026, with indicators of compromise (IOCs) including nine attacker IP addresses and hard-coded PoC client configuration values that defenders should hunt for in their GlobalProtect logs.

Are You Vulnerable?

It is important to note that Panorama and Cloud NGFW are not impacted by this issue. The vulnerability specifically affects PAN-OS firewalls and Prisma Access deployments where the following conditions are all met:

1. A GlobalProtect portal or gateway is configured.
2. Authentication Override is enabled (either generating or accepting cookies).
3. The certificate used for the authentication override is shared with another service (like the HTTPS portal itself), exposing the public key to anyone who connects.

Affected Versions

Palo Alto Networks has released patches across multiple version trains:

Remediation and Mitigation Strategies

If you are running an affected version, patching is the highest priority. However, if immediate patching is not feasible due to change control windows, there are effective workarounds you can implement immediately:

1. Use a Dedicated Certificate: Generate a new, unique certificate exclusively for Authentication Override cookies. Do not share this certificate with the portal, gateway, or any other feature. This prevents attackers from obtaining the public key required to forge the cookie.

2. Disable Authentication Override: Navigate to your GlobalProtect portal and gateway configurations and uncheck the options for generating and accepting authentication override cookies. This completely removes the vulnerable attack surface, though it will require users to authenticate more frequently.

3. Hunt for IOCs: Review your GlobalProtect logs for the indicators published by Unit 42 — particularly successful gateway-connected events from the nine IP addresses listed in their threat brief, or connections using suspicious host IDs like DESKTOP-GP01, GP-CLIENT, or MAC addresses like aa:bb:cc:dd:ee:ff.

Note: After applying the PAN-OS patch, the firewall will regenerate cookies using a more secure method (HMAC-based validation). Users will be required to re-authenticate once after the upgrade, even if they possess a previously valid cookie.

Lessons for Cloud Security Practitioners

CVE-2026–0257 serves as a stark reminder of several fundamental security principles that are too often overlooked in enterprise environments:

• Cryptographic isolation matters. Sharing certificates across features or services creates implicit trust relationships that attackers can exploit. The principle of least privilege applies to cryptographic material just as it does to user permissions.
• Edge devices are high-value targets. VPN gateways sit at the boundary between the internet and your internal network. An authentication bypass here is functionally equivalent to handing an attacker valid credentials. The urgency of patching edge devices should always be treated as critical, regardless of the initial CVSS score.
• Configuration defaults are not always secure. While authentication override is not enabled by default, it is a commonly deployed convenience feature. Organizations should regularly audit their GlobalProtect configurations against Palo Alto's hardening best practices.
• Monitor your perimeter actively. The fact that Rapid7 detected this exploitation through anomalous VPN authentication patterns (cookie-based auth from suspicious IPs with generic hostnames) underscores the value of behavioral monitoring at the network edge.

Final Thoughts

CVE-2026–0257 is a textbook example of how a missing integrity check, combined with a misconfigured certificate, can turn a convenience feature into a critical gateway bypass. The vulnerability is being actively exploited, a public proof-of-concept exists, and CISA has mandated remediation.

Check GlobalProtect configurations today. Rotate those shared certificates. Apply the patches. And if you have not already, start hunting for the IOCs in your logs.

References

[1] Palo Alto Networks, "CVE-2026–0257 PAN-OS: GlobalProtect Authentication Bypass Vulnerabilities," Security Advisories, May 2026.

CVE-2026-0257 PAN-OS: GlobalProtect Authentication Bypass Vulnerabilities Palo Alto Networks Security Advisory: CVE-2026-0257 PAN-OS: GlobalProtect Authentication Bypass Vulnerabilities…

[2] CISA, "Known Exploited Vulnerabilities Catalog," May 2026.

Known Exploited Vulnerabilities Catalog | CISA For the benefit of the cybersecurity community and network defenders-and to help every organization better manage…

[3] Rapid7, "Rapid7 Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026–0257)," May 2026.

Rapid7 Rapid7 MDR has observed active exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability CVE-2026-0257.

[4] Unit 42, "Threat Brief: Active Exploitation of PAN-OS CVE-2026–0257," Palo Alto Networks, June 2026.

Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257 We include indicators of activity and mitigations for PAN-OS vulnerability CVE-2026-0257.

[5] NVD, "CVE-2026–0257 Detail," NIST, May 2026.

NVD Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software…

[6] Centre for Cybersecurity Belgium, "Warning: Authentication bypass vulnerability in Palo Alto PAN-OS is actively exploited in the wild," June 2026.

Warning: Authentication bypass vulnerability in Palo Alto PAN-OS is actively exploited in the wild… Last update: 02/06/2026 Affected software: PAN-OS, Prisma Access Type: CWE-565: CWE-565 Reliance on Cookies without…