Summary:

CVE-2026-0257 is an actively exploited authentication bypass vulnerability affecting PAN-OS GlobalProtect. The flaw allows remote, unauthenticated attackers to forge authentication override cookies and gain unauthorized VPN access to targeted environments.

Exploitation is only possible when authentication override cookies are enabled and the authentication override certificate is shared with another feature, such as the HTTPS service running on the same GlobalProtect portal or gateway. Under these conditions, attackers can forge valid authentication cookies and establish VPN sessions without requiring usernames, passwords, multi-factor authentication, or client certificates.

The vulnerability has been added to CISA’s Known Exploited Vulnerabilities (KEV) Catalog, with remediation mandated for U.S. federal agencies by June 19, 2026. Organizations, particularly across the UAE and broader MENA region, should immediately review their GlobalProtect configurations and apply the latest Palo Alto Networks security updates to mitigate exposure.

Technical Description:

CVE-2026-0257 resides within the authentication override functionality of PAN-OS GlobalProtect. This optional feature allows authenticated users to receive session cookies that function similarly to bearer tokens, reducing the need for repeated authentication during future VPN connections.

The vulnerability becomes exploitable when the certificate used to encrypt and decrypt authentication override cookies is reused by another feature on the same appliance, such as the GlobalProtect portal or gateway HTTPS service. Because the HTTPS certificate is publicly accessible, attackers can obtain the certificate and use it to generate forged authentication override cookies that are cryptographically accepted by the GlobalProtect gateway.

Once the forged cookie is presented, the gateway validates the cookie and establishes an authenticated VPN session without requiring usernames, passwords, multi-factor authentication, or client certificate verification.

Rapid7 MDR confirmed the exploitation mechanism through analysis of Palo Alto technical support files collected from impacted organizations. In all confirmed cases, Cloud Authentication Service (CAS) was disabled while authentication override cookies remained enabled on the GlobalProtect deployment. Rapid7 Labs subsequently validated a working proof-of-concept demonstrating successful exploitation.

Observed attacks resulted in VPN IP address assignment to unauthorized users, providing direct access to internal enterprise networks. A second exploitation wave observed on May 21, 2026, originated from infrastructure associated with Dromatics Systems. Consistent MAC address observations across multiple campaigns led Rapid7 to assess that both waves originated from the same threat actor.

Advanced adversaries have also been observed chaining CVE-2026-0257 with CVE-2026-0300, a PAN-OS root remote code execution vulnerability, allowing escalation from unauthorized VPN access to complete firewall compromise.

The full exploitation chain is detailed below.

Exploitation Demonstration:

• The attacker identifies a GlobalProtect deployment with authentication override cookies enabled. The attacker retrieves the publicly accessible certificate used by the portal or gateway HTTPS service without requiring authentication.
• Because the authentication override certificate is shared with the HTTPS service, the attacker uses the obtained certificate to generate a forged authentication override cookie that will be accepted by the GlobalProtect gateway.
• The forged cookie is presented during VPN authentication. The gateway validates the cookie and establishes a fully authenticated VPN session without requiring usernames, passwords, multi-factor authentication, or client certificates. The attacker receives a valid VPN IP address and gains internal network access.
• Once connected, the attacker conducts reconnaissance, accesses internal resources, harvests credentials, and performs lateral movement across the environment. Rapid7 confirmed VPN IP assignment and internal network access across all observed exploitation cases.
• Sophisticated threat actors have been observed chaining CVE-2026-0257 with CVE-2026-0300, enabling escalation from unauthorized VPN access to root-level remote code execution on the PAN-OS appliance, resulting in complete firewall compromise.

Ease of Exploitation:

CVE-2026-0257 carries a CVSS score of 7.8 and has been actively exploited since at least May 17, 2026.

Rapid7 confirmed exploitation across multiple customer environments, while Palo Alto Networks acknowledged active attacks affecting at least two organizations. Rapid7 Labs successfully validated a working proof-of-concept demonstrating the full exploitation process.

The vulnerability requires a specific non-default configuration; however, organizations that have enabled authentication override and reused certificates across services are immediately vulnerable. Because exploitation requires no credentials and can be performed remotely, the operational complexity is relatively low once the vulnerable configuration is identified.

The addition of CVE-2026-0257 to the CISA KEV Catalog and attribution of the campaign to a sophisticated state-sponsored threat actor by Unit 42 further underscores the urgency of remediation.

Conclusion:

CVE-2026-0257 represents one of the most significant threats currently affecting enterprise remote access infrastructure. Unlike vulnerabilities that target isolated systems, exploitation of this flaw directly compromises a trusted VPN service located at the network perimeter.

Successful exploitation allows attackers to bypass GlobalProtect authentication controls entirely and obtain network access equivalent to that of a legitimate employee. This eliminates a critical layer of enterprise security and provides direct entry into internal environments.

The vulnerability is currently being exploited in active campaigns linked to a state-attributed threat actor. Organizations that have enabled authentication override and reused certificates for operational convenience should consider themselves at elevated risk and immediately assess their exposure.

Affected organizations should prioritize patch deployment, implement interim mitigations where required, and conduct compromise assessments to determine whether unauthorized VPN access has already occurred.

Impact:

Successful exploitation of CVE-2026-0257 enables attackers to establish unauthorized VPN sessions and gain authenticated access to internal enterprise networks.

Once inside the environment, attackers can perform network reconnaissance, access internal applications and file shares, harvest credentials, move laterally between systems, deploy malware, and potentially launch ransomware attacks. The resulting compromise effectively bypasses traditional perimeter security controls and places attackers inside trusted network boundaries.

In advanced attack scenarios, CVE-2026-0257 can be chained with CVE-2026-0300 to achieve root-level code execution on the PAN-OS firewall itself. This provides attackers with the highest level of privilege within the network architecture and may enable manipulation of firewall policies, monitoring controls, routing configurations, and security services.

For organizations operating in the UAE and broader MENA region, confirmed exploitation may trigger mandatory incident notification requirements under UAE NCA ECC frameworks, UAE Personal Data Protection Law (PDPL) obligations where personal information is accessible, and NESA notification requirements for critical infrastructure operators. The operational, financial, regulatory, and reputational consequences of compromise may therefore be substantial.

IOC and Context Details:

Recommended Actions:

• Apply the latest PAN-OS security updates referenced in Palo Alto Networks advisory PAN-SA-2026-0012 immediately. This remains the only complete remediation for CVE-2026-0257.
• If immediate patching is not possible, implement one of Palo Alto Networks’ official interim mitigations: either disable authentication override entirely or deploy a dedicated certificate used exclusively for authentication override and not shared with any other service.
• Audit all PAN-OS firewalls and GlobalProtect deployments to determine whether authentication override cookies are enabled and whether certificates are shared across multiple features. Any deployment meeting both conditions should be considered vulnerable.
• Conduct a compromise assessment across all GlobalProtect environments. Review authentication logs for cookie-based VPN sessions originating from unfamiliar IP addresses or MAC addresses since May 17, 2026. Any suspicious activity should be treated as a potential compromise.
• Integrate PAN-OS and GlobalProtect logs into centralized SIEM platforms and create alerts for cookie-based authentication events, unfamiliar VPN clients, new MAC addresses, and authentication events occurring while Cloud Authentication Service (CAS) is disabled.
• Assess exposure to CVE-2026-0300 and determine whether affected systems are vulnerable to chained exploitation scenarios. Any confirmed CVE-2026-0257 compromise should be investigated as a potential precursor to firewall-level compromise.
• Enforce certificate isolation across PAN-OS services and features. Certificates should not be reused across multiple functions, reducing the risk of similar certificate-based authentication bypass attacks in the future.
• Maintain verified offline backups of PAN-OS configurations and security policies. If firewall compromise occurs through chained exploitation, offline backups will be critical for recovery, validation, and forensic comparison.

Reference:

https://thehackernews.com/2026/05/pan-os-globalprotect-authentication.html

https://security.paloaltonetworks.com/CVE-2026-0257