Palo Alto GlobalProtect Auth Bypass Under Active Attack — CISA KEV

Attackers are actively exploiting an authentication bypass in Palo Alto Networks GlobalProtect VPN that lets them forge session cookies and gain direct access to internal networks. CISA added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog on May 29, setting a June 19 remediation deadline for federal agencies.

Rapid7 researchers confirmed exploitation began as early as May 17, with a second attack wave on May 21. Some victims received full VPN IP assignments, giving attackers the same network access as legitimate employees.

How the Attack Works

The vulnerability targets GlobalProtect's authentication override feature—a convenience mechanism that lets portals issue session cookies so users don't have to re-authenticate each time they connect. This marks the second major GlobalProtect flaw this year, following the DoS vulnerability (CVE-2026-0227) patched in January that could crash firewalls remotely. The current flaw stems from how PAN-OS validates these cookies.

When authentication override is enabled, GlobalProtect encrypts session tokens using an RSA key derived from a configured certificate. The problem: the decryption routine in PAN-OS trusts whatever it decrypts without verifying the content's authenticity. If an organization reuses the same certificate for both HTTPS and authentication override—a common configuration—attackers can extract the public key from the TLS handshake and forge valid-looking cookies.

Rapid7's technical analysis found attackers targeting the local administrator account specifically, bypassing password authentication entirely.

This follows a troubling pattern we covered earlier this month with CVE-2026-0300, where Palo Alto's captive portal service was exploited for root-level RCE. Network security appliances continue to be high-value targets—they sit at trust boundaries, and a single flaw often means complete perimeter compromise.

Exploitation Timeline

Palo Alto disclosed the vulnerability on May 13 with patches available. Exploitation didn't wait:

• May 17: First confirmed attack, originating from Vultr hosting infrastructure (IP: 104.207.144.154)
• May 21: Second wave from Dromatics Systems (IPs: 146.19.216.119, 146.19.216.120, 146.19.216.125)
• May 29: CISA adds to KEV catalog after confirming active exploitation

Rapid7 observed a distinctive pattern across both waves: attackers used the spoofed MAC address aa:bb:cc:dd:ee:ff and machine names like "GP-CLIENT" (Linux) and "DESKTOP-GP01" (Windows). Of the ten impacted customers Rapid7 investigated, two received full VPN sessions with internal IP assignments—the others saw authentication probes without complete session establishment.

The four-day gap between patch availability and first exploitation is a narrow window. Organizations that delayed patching are now playing catch-up against active threats.

Who's Affected

The vulnerability impacts GlobalProtect deployments where:

1. Authentication override cookies are enabled (non-default but common)
2. The same certificate serves both HTTPS and authentication override
3. Cloud Authentication Service (CAS) is disabled

Affected PAN-OS versions span multiple branches. Key fixed releases include:

Branch	Fixed Versions
PAN-OS 12.1	12.1.4-h6, 12.1.7+
PAN-OS 11.2	11.2.4-h17, 11.2.7-h14, 11.2.10-h7, 11.2.12+
PAN-OS 11.1	11.1.4-h33, 11.1.6-h32, 11.1.15+
PAN-OS 10.2	10.2.7-h34, 10.2.18-h6+

Prisma Access environments running PAN-OS 10.2 or 11.2 also require patching.

Detection and Response

Security teams should hunt for signs of compromise immediately. Rapid7 identified several indicators:

Authentication logs: Look for entries showing "Cookie" as the authentication method to the local admin account from unexpected IP ranges. Legitimate cookie authentication typically follows successful password authentication from the same source.

VPN session anomalies: Check for VPN connections from hosting provider IP ranges (Vultr, Dromatics Systems) or sessions with MAC addresses matching aa:bb:cc:dd:ee:ff.

Timing patterns: The two attack waves suggest organized activity. Review logs from May 17 and May 21 onward for unusual authentication patterns.

Mitigation Options

Organizations can't patch immediately should implement one of these workarounds:

1. Disable authentication override — Remove the feature entirely if your environment can tolerate users re-authenticating each session. This eliminates the attack vector.

2. Use a dedicated certificate — Generate a certificate exclusively for authentication override that isn't shared with the HTTPS service. Attackers can't forge cookies if they can't obtain the encryption key.

3. Restrict portal access — Limit which networks can reach GlobalProtect interfaces while waiting for maintenance windows.

After patching, Palo Alto notes that all users will need to re-authenticate—existing session cookies are invalidated by the fix.

Why This Matters

VPN appliances remain prime targets because they solve a hard problem for attackers: getting inside the network perimeter. A working authentication bypass turns the security gateway into a front door. This vulnerability adds to a string of VPN security issues we've covered this year, reinforcing that these devices need the same patching urgency as internet-facing web applications.

The fact that Rapid7 saw internal IP assignments granted to attackers means some organizations are already compromised. If you're running GlobalProtect with authentication override enabled, assume you're a target and respond accordingly.

For the latest hacking news and vulnerability disclosures, follow our coverage.