Palo Alto PAN-OS Authentication Bypass Exploited in the Wild Against GlobalProtect VPNs
7 min. read 
Published on
Palo Alto Networks has confirmed limited exploitation of CVE-2026-0257, an authentication bypass vulnerability affecting PAN-OS GlobalProtect portals and gateways under specific configurations. The Palo Alto Networks advisory says the flaw can allow a remote unauthenticated attacker to bypass security restrictions and establish an unauthorized VPN connection.
The issue affects PAN-OS and Prisma Access deployments where GlobalProtect authentication override cookies are enabled and the authentication override certificate is shared with another feature or user. Panorama and Cloud NGFW are not affected.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The risk increased after CISA added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog on May 29, 2026. Federal agencies have a short remediation window, and private organizations should also treat the vulnerability as an active threat.
What CVE-2026-0257 Allows
CVE-2026-0257 affects GlobalProtect authentication override cookies. This feature lets GlobalProtect portals and gateways issue cookies to authenticated users so they do not need to sign in again during later sessions.
The bug becomes exploitable when authentication override is enabled and the same certificate is reused for another feature, such as the portal or gateway HTTPS service. In that situation, an attacker may be able to forge a valid cookie and connect without valid credentials.
The NVD entry for CVE-2026-0257 describes the flaw as an authentication bypass in the GlobalProtect portal and gateway that can let an attacker establish an unauthorized VPN connection.
| Item | Details |
|---|---|
| CVE | CVE-2026-0257 |
| Affected feature | GlobalProtect portal and gateway authentication override |
| Attack type | Authentication bypass |
| Authentication required | No |
| Palo Alto CVSS 4.0 score | 7.8, high |
| NVD CVSS 3.1 score | 9.1, critical |
| Known exploitation | Confirmed |
Rapid7 Saw Exploitation Across Customer Environments
Rapid7 says its MDR team observed successful exploitation across multiple customer environments, with the earliest activity seen on May 17, 2026. The Rapid7 exploitation report says the first wave involved suspicious cookie authentication to local admin accounts from Vultr-hosted infrastructure.
That activity used the machine name GP-CLIENT and the spoofed MAC address aa:bb:cc:dd:ee:ff. A second wave followed on May 21 from infrastructure linked to Dromatics Systems, using the machine name DESKTOP-GP01 and the same spoofed MAC address.
Rapid7 said some victims received full VPN IP assignments after cookie authentication, which gave the attacker internal network access. In most impacted MDR customer environments, however, Rapid7 saw authentication probes rather than full VPN session establishment.
| Observed wave | Date | Reported source | Machine name | MAC address |
|---|---|---|---|---|
| Wave 1 | May 17 to May 18, 2026 | Vultr-hosted IPs | GP-CLIENT | aa:bb:cc:dd:ee:ff |
| Wave 2 | May 21, 2026 | Dromatics Systems-hosted IPs | DESKTOP-GP01 | aa:bb:cc:dd:ee:ff |
Why This Bug Needs Urgent Attention
Palo Alto Networks rates the issue as high severity, not critical, under CVSS 4.0. Still, an authentication bypass on an internet-facing VPN appliance creates a serious initial access risk.
A successful exploit can give an attacker a VPN connection into the target environment. From there, the attacker may scan internal systems, test credentials, target admin interfaces, or prepare follow-on movement.
That is why the score should not be the only factor in patch priority. Exposure, exploit activity, and the role of GlobalProtect as a remote access gateway make this a high-priority issue for security teams.
Affected Versions and Fixed Builds
Palo Alto Networks has released patched versions across supported PAN-OS branches. Customers should check their exact branch and apply the fixed version listed by the vendor.
The update changes how authentication override cookies work. Palo Alto Networks says GlobalProtect users must re-authenticate once after the upgrade if the firewall uses authentication override cookies for portal or gateway access.
| Product | Affected versions | Fixed versions |
|---|---|---|
| PAN-OS 12.1 | Versions below 12.1.4-h6 and below 12.1.7 | 12.1.4-h6 or 12.1.7 and later |
| PAN-OS 11.2 | Branch-specific vulnerable builds below fixed releases | 11.2.4-h17, 11.2.7-h14, 11.2.10-h7, 11.2.12 and later |
| PAN-OS 11.1 | Branch-specific vulnerable builds below fixed releases | 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, 11.1.15 and later |
| PAN-OS 10.2 | Branch-specific vulnerable builds below fixed releases | 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, 10.2.18-h6 and later |
| Prisma Access 11.2 | Versions below 11.2.7-h13 | 11.2.7-h13 and later |
| Prisma Access 10.2 | Versions below 10.2.10-h36 | 10.2.10-h36 and later |
How to Check Whether a Deployment Is Exposed
Administrators should first check whether GlobalProtect authentication override cookies are enabled. On portals, this means reviewing whether “Generate cookie for authentication override” or “Accept cookie for authentication override” is checked.
On gateways, administrators should review the Authentication Override tab under the relevant client settings profile and check whether “Accept cookie for authentication override” is enabled.
The vendor guidance says exposure also depends on the certificate configuration. If the authentication override certificate is reused by the HTTPS service or shared with another feature, the environment needs urgent remediation.
Indicators of Compromise
| Indicator | Type | Context |
|---|---|---|
| 104.207.144[.]154 | Source IP | Wave 1 activity reported by Rapid7 |
| 146.19.216[.]119 | Source IP | Wave 2 activity reported by Rapid7 |
| 146.19.216[.]120 | Source IP | Wave 2 activity reported by Rapid7 |
| 146.19.216[.]125 | Source IP | Wave 2 activity reported by Rapid7 |
| aa:bb:cc:dd:ee:ff | Spoofed MAC address | Observed across both waves |
| GP-CLIENT | Machine name | Linux authentication activity in Wave 1 |
| DESKTOP-GP01 | Machine name | Windows authentication activity in Wave 2 |
What Security Teams Should Hunt For
Security teams should search GlobalProtect logs for cookie-based authentication to local administrator accounts, suspicious source IPs, unknown machine names, and the spoofed MAC address reported in the exploitation activity.
The Rapid7 analysis also recommends looking for cookie authentication involving local admin accounts and default-looking hostnames. Organizations using Rapid7 InsightIDR or MDR can use vendor detection content for this activity.
Defenders should also determine whether suspicious authentication led to a full VPN IP assignment. That distinction matters because a probe may not create the same internal exposure as a completed VPN session.
- Search for GlobalProtect authentication method “Cookie” from suspicious source IPs.
- Review logins to local administrator accounts through GlobalProtect.
- Look for GP-CLIENT and DESKTOP-GP01 as reported machine names.
- Search for the spoofed MAC address aa:bb:cc:dd:ee:ff.
- Check whether suspicious logins received VPN IP assignments.
- Review internal network activity after any suspicious VPN session.
- Rotate credentials if an unauthorized VPN session was established.
Mitigation Steps
The strongest fix is to upgrade to a patched PAN-OS or Prisma Access version. Organizations that cannot upgrade immediately should disable authentication override where it is not operationally required.
Administrators should also generate a dedicated certificate only for authentication override cookies. They should not reuse the portal or gateway certificate for that purpose, and they should not share the authentication override certificate with other features or users.
Because CISA lists CVE-2026-0257 in the KEV catalog, organizations should prioritize remediation even if some tooling labels the issue as high or medium rather than critical.
Why VPN Authentication Bypass Bugs Are So Serious
Enterprise VPN appliances sit at the network edge. When attackers bypass authentication on a VPN, the incident can quickly move from perimeter exposure to internal access.
The NVD vulnerability record gives CVE-2026-0257 a CVSS 3.1 score of 9.1 and describes high confidentiality and integrity impact. That reflects the practical risk of unauthorized VPN access into sensitive environments.
Even limited exploitation should trigger urgent review. The combination of edge exposure, active exploitation, cookie-based authentication abuse, and public attention leaves little room for delayed remediation.
The Bottom Line
CVE-2026-0257 is not exposed on every PAN-OS device, but affected GlobalProtect deployments need immediate review. The vulnerable condition requires authentication override cookies and a risky certificate configuration, yet real-world exploitation has already occurred.
Security teams should patch affected versions, disable unnecessary authentication override settings, isolate the authentication override certificate, hunt through GlobalProtect logs, and investigate any suspicious VPN session that used cookie-based authentication.
FAQ
CVE-2026-0257 is an authentication bypass vulnerability in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS. It can allow a remote unauthenticated attacker to establish an unauthorized VPN connection under specific configurations.
Yes. Palo Alto Networks says it is aware of limited exploit attempts on unpatched PAN-OS devices without mitigations applied. Rapid7 also observed successful exploitation across multiple customer environments.
The issue affects GlobalProtect portal or gateway deployments where authentication override cookies are enabled and the authentication override certificate is shared with another feature, such as the portal or gateway HTTPS service.
Admins should upgrade to a fixed PAN-OS or Prisma Access version, disable authentication override if it is not needed, and use a dedicated certificate exclusively for authentication override cookies.
Defenders should search for source IPs 104.207.144[.]154 and 146.19.216[.]119, 146.19.216[.]120, 146.19.216[.]125, machine names GP-CLIENT and DESKTOP-GP01, and spoofed MAC address aa:bb:cc:dd:ee:ff in GlobalProtect logs.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages