Critical PAN-OS Authentication Bypass Vulnerability Exploited in the Wild
A significant security flaw, identified as CVE-2026-0257, has been discovered in Palo Alto Networks’ PAN-OS and Prisma Access software. This vulnerability allows unauthenticated remote attackers to forge authentication override cookies, enabling unauthorized VPN connections through the GlobalProtect gateway. The Cybersecurity and Infrastructure Security Agency (CISA) added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog on May 29, 2026, following reports of active exploitation.
Understanding the Vulnerability
The issue resides in the authentication override feature of PAN-OS, which is not enabled by default. This feature permits GlobalProtect portals and gateways to issue session cookies to authenticated users, functioning similarly to bearer tokens, thereby eliminating the need for users to re-authenticate each session. The vulnerability is triggered when the certificate used to encrypt and decrypt these authentication override cookies is shared with another feature, such as the HTTPS service of the portal or gateway.
In this configuration, the decryption process within the `/usr/local/bin/gpsvc` binary fails to perform signature verification after decrypting the cookie. Consequently, an attacker who can retrieve the public key from the exposed HTTPS certificate can forge a valid authentication cookie, effectively bypassing authentication mechanisms entirely.
Timeline of Exploitation
Security firm Rapid7 identified the earliest exploitation of CVE-2026-0257 on May 17, 2026. The initial wave of attacks originated from IP addresses hosted on Vultr, a cloud service provider. On May 18, Rapid7 detected suspicious cookie-based authentication attempts to local admin accounts across multiple customer environments. The attackers used the machine name `GP-CLIENT` and a spoofed MAC address (`aa:bb:cc:dd:ee:ff`) to masquerade as legitimate endpoints.
A second wave of exploitation occurred on May 21, 2026, this time originating from the hosting provider Dromatics Systems. In this instance, the attackers used the machine name `DESKTOP-GP01`. Notably, some victims in this wave had full VPN IP assignments granted after the cookie authentication, providing attackers with direct access to internal networks. The consistent use of the spoofed MAC address across both waves suggests that a single threat actor is behind these campaigns. Of the ten impacted Managed Detection and Response (MDR) customers, eight observed only authentication probes without full VPN session establishment.
Indicators of Compromise
Organizations should be vigilant for the following indicators of compromise associated with this vulnerability:
– Threat Actor Source IPs:
– 104.207.144.154 (Wave 1)
– 146.19.216.119, 146.19.216.120, 146.19.216.125 (Wave 2)
– Spoofed MAC Address:
– aa:bb:cc:dd:ee:ff (Both waves)
– Machine Names:
– GP-CLIENT (Linux authentication, May 17)
– DESKTOP-GP01 (Windows authentication, May 21)
Note: IP addresses and domains are intentionally defanged (e.g., `[.]`) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your Security Information and Event Management (SIEM) system.
Recommended Actions
To mitigate the risks associated with CVE-2026-0257, organizations are strongly advised to take the following steps immediately:
1. Upgrade to Patched Versions: Ensure that all affected PAN-OS and Prisma Access instances are updated to the vendor-patched versions. Key fixed versions include:
– PAN-OS 12.1.4-h6 / 12.1.7
– PAN-OS 11.2.12
– PAN-OS 11.1.15
– PAN-OS 10.2.18-h6
– Prisma Access 11.2.0 requires 11.2.7-h13 or later
– Prisma Access 10.2.0 requires 10.2.10-h36 or later
2. Disable Authentication Override Feature: If the authentication override feature is not operationally required, disable it to eliminate the associated risk.
3. Use Dedicated Certificates: Generate and use a dedicated certificate exclusively for the authentication override feature to prevent sharing with other services, thereby reducing the risk of exploitation.
Conclusion
The active exploitation of CVE-2026-0257 underscores the critical importance of timely vulnerability management and adherence to security best practices. Organizations utilizing Palo Alto Networks’ PAN-OS and Prisma Access should prioritize the recommended actions to safeguard their networks against unauthorized access and potential breaches.
