Palo Alto GlobalProtect VPN Flaw Actively Exploited in the Wild

Palo Alto Networks Unit 42 has confirmed active exploitation of CVE-2026-0257, a critical authentication bypass vulnerability affecting the GlobalProtect portal and gateway components of PAN-OS.

The flaw enables remote, unauthenticated attackers to forge authentication override cookies and establish unauthorized VPN connections without ever supplying valid credentials.

Originally assigned a CVSSv4 score of 4.7 (medium), the vulnerability was re-rated to 7.8 (high) on May 29, 2026, following confirmed in-the-wild exploitation.

Palo Alto GlobalProtect VPN Flaw

The same day, CISA added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog, signaling an elevated threat to enterprise environments.

The root cause lies in PAN-OS’s authentication override feature, which issues encrypted cookies to authenticated GlobalProtect users for seamless re-authentication, functioning similarly to a bearer token.

When the certificate used to encrypt and decrypt these cookies is the same as the one serving the GlobalProtect HTTPS portal or gateway, an attacker can extract the public key directly from the TLS handshake and forge a valid authentication cookie without ever authenticating.

Internally, the main_DecryptAppAuthCookie function in PAN-OS decrypts the incoming cookie but performs no signature verification, meaning any correctly encrypted cookie is implicitly trusted by the appliance.

Rapid7 Labs validated this through a working proof-of-concept, published on GitHub as forge_cookie.py.

The script iterates over certificates in the HTTPS chain, forges authentication cookies using each public key, and tests them against the target gateway requiring no prior access or credentials.

Rapid7 MDR first observed active exploitation on May 17, 2026, with a second wave on May 21, 2026. Both waves involved cookie-based authentication to local admin accounts originating from Vultr and Dromatics Systems, two low-cost hosting providers.

A consistently spoofed MAC address of aa:bb:cc:dd:ee:ff across both waves strongly suggests a single unidentified threat actor is behind the campaign.

Unit 42 researchers noted that only a fraction of probed devices established full VPN tunnels approximately 2 out of 10 affected MDR customers saw complete session establishment, confirmed via POST requests to /ssl-vpn/hipreport.esp and /ssl-vpn/getconfig.esp. No lateral movement has been observed to date, though active monitoring continues.

Affected Versions

The vulnerability impacts multiple PAN-OS branches:

• PAN-OS versions prior to 12.1.4-h6, 11.2.4-h17, 11.1.4-h33, and 10.2.7-h34
• Prisma Access versions below 11.2.7-h13 and 10.2.10-h36

Exploitation is only possible when the authentication override feature is enabled and the override certificate is shared with the HTTPS service a misconfiguration that violates Palo Alto’s own hardening guidance.

Organizations should immediately apply the vendor-supplied patches as outlined in the official security advisory. As an interim measure, administrators should either disable the authentication override feature entirely or generate a dedicated certificate used exclusively for cookie encryption, kept separate from the HTTPS service certificate.

Indicators of Compromise (IOCs)