Critical PAN-OS Authentication Bypass Vulnerability Exploited in the Wild
Palo Alto Networks has recently disclosed a critical security vulnerability, identified as CVE-2026-0257, affecting its PAN-OS software and Prisma Access services. This flaw enables unauthenticated remote attackers to forge authentication override cookies, thereby establishing unauthorized VPN connections through the GlobalProtect gateway. The Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on May 29, 2026, indicating active exploitation in the wild.
Understanding the Vulnerability
The root of CVE-2026-0257 lies in the authentication override feature of PAN-OS, which is not enabled by default. This feature allows GlobalProtect portals and gateways to issue session cookies to authenticated users, functioning similarly to bearer tokens, thus eliminating the need for users to re-authenticate for each session. The vulnerability is triggered when the certificate used to encrypt and decrypt these authentication override cookies is shared with another feature, such as the HTTPS service of the portal or gateway.
In such configurations, the decryption process within the `/usr/local/bin/gpsvc` binary fails to perform signature verification after decrypting the cookie. Consequently, an attacker who can retrieve the public key from the exposed HTTPS certificate can forge a valid authentication cookie, effectively bypassing authentication mechanisms entirely.
Exploitation in the Wild
Security firm Rapid7 identified the earliest exploitation of this vulnerability on May 17, 2026. The initial wave of attacks originated from IP addresses hosted on Vultr, with attackers using the machine name `GP-CLIENT` and a spoofed MAC address (`aa:bb:cc:dd:ee:ff`) to masquerade as legitimate endpoints. A subsequent wave occurred on May 21, 2026, originating from Dromatics Systems, utilizing the machine name `DESKTOP-GP01`.
In some instances, attackers were granted full VPN IP assignments after cookie authentication, providing direct access to internal networks. The consistent use of the spoofed MAC address across both waves suggests a single threat actor behind these campaigns. Notably, 8 out of 10 impacted Managed Detection and Response (MDR) customers observed only authentication probes without full VPN session establishment.
Indicators of Compromise
Organizations should be vigilant for the following indicators of compromise associated with this vulnerability:
– Threat Actor Source IPs:
– 104.207.144.154 (Wave 1)
– 146.19.216.119, 146.19.216.120, 146.19.216.125 (Wave 2)
– Spoofed MAC Address:
– aa:bb:cc:dd:ee:ff (Both waves)
– Machine Names:
– GP-CLIENT (Linux authentication, May 17)
– DESKTOP-GP01 (Windows authentication, May 21)
Mitigation Measures
To protect against potential exploitation of CVE-2026-0257, Palo Alto Networks recommends the following actions:
1. Upgrade to Patched Versions: Ensure all affected PAN-OS and Prisma Access instances are updated to the latest vendor-patched versions. Key fixed versions include:
– PAN-OS 12.1.4-h6 / 12.1.7
– PAN-OS 11.2.12
– PAN-OS 11.1.15
– PAN-OS 10.2.18-h6
– Prisma Access 11.2.0 requires 11.2.7-h13 or later
– Prisma Access 10.2.0 requires 10.2.10-h36 or later
2. Disable Authentication Override Feature: If the authentication override feature is not operationally required, it should be disabled to mitigate risk.
3. Use Dedicated Certificates: Generate a dedicated certificate exclusively for authentication override cookies to prevent sharing with other features like the HTTPS service.
Conclusion
The active exploitation of CVE-2026-0257 underscores the critical importance of timely vulnerability management and system updates. Organizations utilizing Palo Alto Networks’ PAN-OS and Prisma Access should prioritize implementing the recommended mitigation measures to safeguard their networks against unauthorized access and potential breaches.
