Cybersecurity researchers have confirmed active exploitation of the PAN-OS authentication bypass vulnerability, tracked as CVE-2026-0257, targeting internet-facing GlobalProtect VPN appliances.
The flaw affects Palo Alto Networks PAN-OS and Prisma Access deployments when specific authentication override settings are enabled. Although the vulnerability received a medium severity score initially, security experts now warn organizations to treat it as critical because attackers can gain unauthorized VPN access without valid credentials.
Researchers observed the earliest exploitation attempts on May 17, 2026. Shortly afterward, multiple organizations reported suspicious VPN logins linked to the same attacker infrastructure.
Attackers Exploit Forged VPN Cookies
The PAN-OS authentication bypass issue centers around GlobalProtect authentication override cookies. These cookies normally allow users to stay authenticated without repeatedly entering credentials.
However, attackers discovered they could forge those cookies under certain certificate configurations.
Investigators found that affected systems reused the same certificate for both HTTPS services and cookie encryption. As a result, attackers could retrieve the public encryption key remotely and create fake authentication cookies accepted by vulnerable devices.
Once the forged cookie was submitted, the VPN gateway treated the attacker as an authenticated user.
Security teams also identified repeated login attempts originating from cloud hosting providers, including Vultr and Dromatics Systems. Meanwhile, some compromised systems assigned attackers internal VPN addresses, potentially exposing enterprise networks to further intrusion activity.
Technical Details Behind CVE-2026-0257
The vulnerability exists because PAN-OS trusts decrypted authentication cookies without validating their integrity after decryption.
Researchers analyzing the GlobalProtect service discovered the appliance decrypts incoming cookies and immediately accepts the embedded user information. Consequently, anyone with access to the public key can generate malicious cookies that appear legitimate.
Attackers reportedly forged cookies for administrative accounts and successfully authenticated through GlobalProtect gateways.
Additionally, investigators noted repeated use of spoofed MAC addresses and generic hostnames during exploitation attempts. These indicators suggest coordinated scanning and automated exploitation activity.
Organizations Urged to Patch Immediately
The flaw has now been added to the Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities catalog, increasing urgency for remediation efforts.
Affected PAN-OS versions include multiple releases across the 10.2, 11.1, 11.2, and 12.1 branches. Prisma Access deployments are also impacted under vulnerable configurations.
Security teams are strongly advised to:
- Apply vendor-issued security patches immediately
- Disable authentication override if unnecessary
- Use dedicated certificates exclusively for authentication cookies
- Monitor VPN logs for suspicious cookie-based logins
- Investigate connections tied to unusual hostnames or spoofed MAC addresses
Known indicators linked to exploitation activity include the IP addresses:
- 104.207.144.154
- 146.19.216.119
- 146.19.216.120
- 146.19.216.125
Growing Risk to Enterprise VPN Infrastructure
The PAN-OS authentication bypass campaign highlights the growing focus on edge network devices by threat actors. VPN gateways remain attractive targets because they provide direct access into enterprise environments.
Although researchers have not yet confirmed widespread lateral movement after compromise, the ability to bypass authentication on perimeter systems significantly raises the risk of ransomware deployment, espionage, and network persistence.
Organizations using GlobalProtect should urgently review configurations and patch vulnerable systems before attackers expand exploitation further.
No Comment! Be the first one.