By Palo Alto Networks confirmed that CVE-2026-0257 — an authentication bypass in GlobalProtect portal and gateway — is under active exploitation. CISA added it to the Known Exploited Vulnerabilities catalog on May 29. The federal deadline has already passed. If you run GlobalProtect with authentication override cookies enabled and haven’t acted yet, you are an active target.
The Flaw: A Cookie Built on a Public Key
This is not a buffer overflow or an injection. The root cause is simpler and more embarrassing: when GlobalProtect’s authentication override feature uses the same certificate as the HTTPS service endpoint, the signing key for cookies is effectively public.
An attacker hits your GlobalProtect portal — no credentials required. They grab the TLS certificate. They extract the public key. They use it to generate a forged authentication override cookie. They submit that cookie to your gateway, which accepts it as valid and hands over a VPN session as any user, including admins.
The flaw is classified as CWE-565: Reliance on Cookies without Validation and Integrity Checking. Two conditions must both be true for you to be vulnerable: authentication override cookies must be enabled, and the certificate used for those cookies must be shared with another feature. If both are true, the attack requires no special knowledge and no prior access.
What Attackers Actually Did
Rapid7 MDR confirmed exploitation across multiple customer environments starting May 17, 2026 — four days after Palo Alto disclosed the CVE. There were two distinct waves.
The first wave originated from the Vultr hosting provider. Rapid7 observed suspicious cookie authentication targeting the local admin account across multiple customers. The second wave hit on May 21 from Dromatics Systems. Same threat actor: the MAC address used in both waves was identical (aa:bb:cc:dd:ee:ff), a spoofed value reused across machine names “GP-CLIENT” and “DESKTOP-GP01” — designed to look like legitimate managed endpoints.
In the second wave, Rapid7 confirmed that VPN IP assignment occurred following the cookie authentication, meaning the attacker gained access to the internal network. No lateral movement was observed — but reconnaissance was complete. The door was open.
Are You Vulnerable?
Two minutes to know for certain. Navigate to Network > GlobalProtect > Portals > [your portal] > Agent > [profile] > Authentication tab. Look for “Generate cookie for authentication override” or “Accept cookie for authentication override.” If either is checked, verify what certificate is assigned. If it’s your portal or gateway’s HTTPS certificate — or any cert shared with another feature — you are vulnerable.
Run the same check under your Gateway configuration. Gateways have the same options and are exploitable independently of the portal.
Fix It
Three paths, in order of preference. See the official Palo Alto advisory for the complete configuration steps.
Generate a dedicated certificate. Create a new private certificate used exclusively for authentication override cookie signing. Do not share it with the portal HTTPS service or any other feature. Update both portal and gateway configs to use this cert. This cuts off the attack without disabling the feature entirely.
Disable authentication override. If your deployment doesn’t rely on SSO cookie handoff between portal and gateway, turn it off. Uncheck both “Generate” and “Accept” in the Authentication tab on both portal and gateway. No cookie, no bypass.
Patch PAN-OS. The fixed releases address the underlying validation flaw directly:
- PAN-OS 10.2 → 10.2.18-h6
- PAN-OS 11.1 → 11.1.15
- PAN-OS 11.2 → 11.2.12
- PAN-OS 12.1 → 12.1.7
Patching is the definitive fix. Options 1 or 2 are effective mitigations for deployments that can’t patch immediately.
Why This Keeps Happening
GlobalProtect is internet-facing by design. It is the perimeter door into enterprise networks, which makes it one of the most targeted components in Palo Alto’s stack. CVE-2024-3400, a PAN-OS command injection flaw with a CVSS score of 10, was exploited by state-sponsored actors before a patch was available. Now CVE-2026-0257. The pattern is consistent: attackers probe VPN edge components aggressively because a single successful exploit buys internal network access without touching any user endpoint.
Over 50,000 organizations run GlobalProtect. The CISA KEV listing, confirmed exploitation across multiple Rapid7 customers, and the four-day gap between disclosure and first exploitation are all signals that this flaw was found and weaponized quickly. The attack requires no credentials, no prior access — just a public TLS cert and a working proof-of-concept. That PoC is publicly available. BleepingComputer has full coverage of the exploitation wave.
Check your config. Generate the dedicated cert or disable the feature. Patch when your window opens. This one is not theoretical.
