CVE-2026-0257 – Authentication Bypass – Palo Alto Networks PAN-OS GlobalProtect (PAN-OS 10.2, 11….

Summary

CVE-2026-0257 is a high-severity authentication bypass vulnerability in the GlobalProtect portal and gateway components of Palo Alto Networks PAN-OS. It stems from inadequate validation of authentication override cookies (CWE-565), enabling unauthenticated remote attackers to forge valid session cookies and establish unauthorized VPN connections into corporate networks. CISA added this vulnerability to the Known Exploited Vulnerabilities (KEV) catalog on May 29, 2026, with a federal remediation deadline of June 1, 2026, confirming active exploitation in the wild.

Technical details

• Root cause: The GlobalProtect authentication override feature issues encrypted cookies that substitute for re-authentication. PAN-OS performs no signature verification on the decrypted cookie content and does not enforce the use of a dedicated certificate for cookie encryption. When an organization reuses the same TLS certificate for both the GlobalProtect HTTPS service and the authentication override cookie encryption, an attacker can extract the certificate’s public key from the public-facing TLS handshake and use it to forge arbitrary authentication cookies.
• Trigger conditions: Exploitation requires that (1) the GlobalProtect authentication override cookie feature is enabled, and (2) the same certificate is used for both the portal/gateway HTTPS service and cookie encryption. This is a non-default configuration but was observed in a significant number of real-world deployments based on the scale of confirmed exploitation.
• Attack vector: Network-accessible, unauthenticated. An attacker retrieves the certificate chain from the target’s public HTTPS endpoint, extracts the public key, forges an authentication override cookie, and presents it to the GlobalProtect gateway or portal to obtain an authorized-looking VPN session without valid credentials.
• Impact: Full authentication bypass of a VPN gateway, allowing attackers to establish authorized VPN sessions into the target corporate network and gain access to internal resources.

Affected software

• Palo Alto Networks PAN-OS 10.2.x — versions prior to 10.2.18-h6
• Palo Alto Networks PAN-OS 11.1.x — versions prior to 11.1.15
• Palo Alto Networks PAN-OS 11.2.x — versions prior to 11.2.12
• Palo Alto Networks PAN-OS 12.1.x — versions prior to 12.1.7 (or 12.1.4-h6 on applicable hotfix tracks)
• Prisma Access is also affected; Cloud NGFW and Panorama are not impacted.

Severity

CVSS v3.1 Base Score: 9.1 (Critical)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Mitigation and recommended actions

• Immediate (patch): Upgrade to a fixed PAN-OS release — 10.2.18-h6, 11.1.15, 11.2.12, or 12.1.7 (or later within each branch). All GlobalProtect components should be upgraded simultaneously to maintain cookie compatibility.
• Interim workaround (if patching is not immediately feasible):
  • Disable the GlobalProtect authentication override cookie feature entirely, or
  • Ensure that the certificate used to encrypt and decrypt authentication override cookies is a dedicated certificate and is never shared with the GlobalProtect portal or gateway HTTPS service.
• Detection: Review GlobalProtect session logs for unrecognized VPN sessions, particularly those authenticated via cookie to local administrator accounts. Indicators of compromise from observed exploitation include source IPs 104.207.144.154 and 146.19.216.119–125, machine names DESKTOP-GP01, GP-CLIENT, and Jocker, and the spoofed MAC address aa:bb:cc:dd:ee:ff.

IONIX Status

The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

References

• CVE-2026-0257 at NIST
• Palo Alto Networks Security Advisory