Executive Summary
CVE-2026-0257 is a critical authentication bypass vulnerability affecting Palo Alto Networks’ PAN-OS GlobalProtect portal and gateway. This flaw enables remote, unauthenticated attackers to forge authentication cookies and gain unauthorized VPN access, effectively bypassing all configured authentication controls. The vulnerability is being actively exploited in the wild, with multiple security vendors and government agencies confirming real-world attacks. Public proof-of-concept (PoC) code is available, and the vulnerability is cataloged in the CISA Known Exploited Vulnerabilities (KEV) list. Organizations running affected versions of PAN-OS with vulnerable configurations are at immediate risk of compromise, potentially exposing sensitive internal resources to external threat actors.
Threat Actor Profile
Current exploitation of CVE-2026-0257 is characterized by opportunistic and potentially targeted activity. Threat actors are leveraging infrastructure from low-cost hosting providers such as Vultr and Dromatics Systems to launch attacks. The observed activity does not currently map to a specific Advanced Persistent Threat (APT) group, but the use of consistent MAC addresses and attack patterns suggests a single actor or toolkit is being used across incidents. The attackers’ primary objective appears to be initial access, likely for further exploitation, lateral movement, or sale to other malicious parties (i.e., initial access brokers). No evidence of post-exploitation lateral movement has been reported in public incident disclosures as of this writing.
Technical Analysis of Malware/TTPs
CVE-2026-0257 arises from improper validation and integrity checking of authentication override cookies in the GlobalProtect portal and gateway components of PAN-OS. When the same certificate is used for both the HTTPS service and authentication override cookies, an attacker can extract the public key from the server’s TLS certificate and use it to forge valid authentication cookies. These cookies are then accepted by the GlobalProtect service, granting the attacker VPN access as any user, including privileged accounts.
The attack chain involves the following technical steps: the attacker retrieves the public TLS certificate from the target’s GlobalProtect portal or gateway, uses a publicly available PoC tool (such as forge_cookie.py released by Rapid7) to generate a valid authentication override cookie, and submits this cookie to the VPN endpoint. If the endpoint is running a vulnerable version and configuration, the attacker is authenticated without any credentials or user interaction.
The vulnerability is classified under CWE-565 (Reliance on Cookies without Validation and Integrity Checking) and mapped to CAPEC-114 (Authentication Abuse). The attack vector is network-based, with low complexity and no privileges or user interaction required. The impact is severe, as it allows full compromise of confidentiality and integrity for any resource accessible via the VPN.
MITRE ATT&CK techniques relevant to this exploitation include T1190 (Exploit Public-Facing Application) and T1078.004 (Valid Accounts: Cloud Accounts), as the attacker is effectively forging valid session tokens to gain access.
Exploitation in the Wild
Active exploitation of CVE-2026-0257 was first observed by Rapid7 Managed Detection and Response (MDR) teams on May 17, 2026, just days after the vulnerability was publicly disclosed by Palo Alto Networks. The attacks have been traced to IP addresses associated with Vultr and Dromatics Systems, both known for providing inexpensive, easily accessible cloud infrastructure. The attackers used both Windows and Linux clients, with hostnames such as DESKTOP-GP01 and GP-CLIENT, and a consistent spoofed MAC address (aa:bb:cc:dd:ee:ff) across multiple incidents.
The exploitation process is highly automated, leveraging the PoC script to iterate through certificate chains and forge cookies for multiple user accounts. Log entries from compromised devices show successful logins using the “Cookie” authentication method from the attacker-controlled IPs. Despite successful VPN access, no evidence of lateral movement or further post-exploitation activity has been reported in the initial wave of attacks, suggesting the attackers may be focused on establishing persistent access or selling access to other threat actors.
The vulnerability was added to the CISA KEV catalog on May 29, 2026, underscoring its significance and the urgency for remediation.
Victimology and Targeting
Victim organizations span multiple sectors and geographies, as exploitation is opportunistic and targets any exposed, vulnerable PAN-OS GlobalProtect instance. There is no evidence of sector-specific targeting, but the nature of the vulnerability means that any organization using affected versions and configurations is at risk. The use of generic infrastructure and lack of post-exploitation activity suggest that attackers are scanning for and exploiting vulnerable devices en masse, rather than focusing on specific high-value targets. However, the potential for targeted attacks remains high, especially given the critical access granted by successful exploitation.
Mitigation and Countermeasures
Immediate action is required for all organizations running affected versions of PAN-OS with GlobalProtect portals or gateways. The following countermeasures are recommended:
Upgrade all affected PAN-OS devices to the latest fixed versions as specified in the official Palo Alto Networks advisory. This is the only fully effective mitigation.
If immediate upgrade is not possible, disable authentication override cookies on all GlobalProtect portals and gateways. This will prevent exploitation but may impact user experience or existing workflows.
Ensure that a dedicated certificate is used for authentication override cookies, separate from the HTTPS service certificate. This configuration change mitigates the vulnerability even on unpatched systems.
Monitor VPN and authentication logs for indicators of compromise, including successful logins using the “Cookie” authentication method from suspicious IP addresses, especially those listed in the IOCs section.
Force re-authentication for all GlobalProtect users after patching or configuration changes to invalidate any potentially forged sessions.
Review firewall rules and restrict access to GlobalProtect portals and gateways to trusted IP ranges where possible.
Implement continuous vulnerability management and threat intelligence monitoring to detect and respond to future exploitation attempts.
References
Palo Alto Networks: CVE-2026-0257 Security Advisory Rapid7: Observed Exploitation Blog & PoC NVD: CVE-2026-0257 Entry CISA: Known Exploited Vulnerabilities Catalog Reddit: Community Discussion
About Rescana
Rescana is a leader in third-party risk management (TPRM), providing organizations with a comprehensive platform to continuously monitor, assess, and mitigate cyber risks across their entire digital supply chain. Our advanced threat intelligence and automation capabilities empower security teams to proactively identify vulnerabilities, respond to emerging threats, and ensure compliance with industry standards. For more information about how Rescana can help strengthen your organization’s cyber resilience, or for any questions regarding this advisory, please contact us at ops@rescana.com.
