A vital authentication-bypass vulnerability affecting Palo Alto Networks PAN-OS and Prisma Entry is being actively exploited by malicious actors.
In response to mounting assaults, the Cybersecurity and Infrastructure Safety Company (CISA) added CVE-2026-0257 to its Identified Exploited Vulnerabilities (KEV) catalog on Might 29, 2026.
Whereas the flaw carries a medium CVSSv4 rating, safety researchers at Rapid7 are urging organizations to deal with this as a critical-priority risk requiring speedy remediation.
Palo Alto Networks initially disclosed CVE-2026-0257 on Might 13, 2026. The vulnerability permits a distant, unauthenticated attacker to forge authentication override cookies and set up unauthorized VPN connections by way of the GlobalProtect gateway.
This flaw lies in a non-default “authentication override” characteristic that points session cookies to authenticated customers, eliminating the necessity for repeated logins.
The vulnerability is triggered when the certificates used to encrypt these cookies is shared with one other service, such because the portal’s HTTPS service.
As a result of the decryption course of inside the /usr/native/bin/gpsvc binary performs no signature verification; an attacker who extracts the general public key from the uncovered HTTPS certificates can simply forge a sound cookie and bypass authentication totally.
Rapid7 researchers noticed the earliest confirmed exploitation of this flaw on Might 17, 2026. Throughout this preliminary wave, attackers initiated suspicious cookie-based authentication requests to native admin accounts throughout a number of buyer environments.
The malicious visitors originated from IP addresses hosted on Vultr. Attackers masqueraded as legit endpoints by using the machine title GP-CLIENT alongside a spoofed MAC handle.
A second wave of assaults commenced on Might 21, 2026, originating from the internet hosting supplier Dromatics Techniques.
On this section, risk actors used the machine title DESKTOP-GP01 and efficiently secured full VPN IP assignments in some compromised environments, granting them direct entry to inner networks.
The constant use of the identical spoofed MAC handle throughout each campaigns strongly signifies a single risk actor is orchestrating these assaults. Notably, eight out of ten impacted Rapid7 MDR prospects skilled solely authentication probes moderately than full VPN session institution.
Indicators of Compromise
| Indicator | Description |
|---|---|
| 104.207.144[.]154 | Menace actor supply IP (Wave 1, Vultr) |
| 146.19.216[.]119 / .120 / .125 | Menace actor supply IPs (Wave 2, Dromatics) |
| aa:bb:cc:dd:ee:ff | Spoofed MAC handle noticed in each waves |
| GP-CLIENT | Machine title, Linux authentication, Might 17 |
| DESKTOP-GP01 | Machine title, Home windows authentication, Might 21 |
Observe: IP addresses and domains are deliberately defanged (e.g., [.]) to stop unintended decision or hyperlinking. Re-fang solely inside managed risk intelligence platforms similar to MISP, VirusTotal, or your SIEM.
Directors should instantly improve affected PAN-OS and Prisma Entry cases to safe releases to stop community compromise.
For organizations using PAN-OS, key fastened variations embrace 12.1.4-h6, 12.1.7, 11.2.12, 11.1.15, and 10.2.18-h6. These deploying Prisma Entry model 11.2.0 should improve to 11.2.7-h13 or later, whereas environments operating model 10.2.0 should improve to 10.2.10-h36 or later.
Mitigation
To safe environments towards this risk, directors ought to first disable the authentication override characteristic totally if it isn’t a strict operational requirement.
If the characteristic should stay energetic, safety groups must generate a devoted certificates completely for encrypting authentication override cookies and guarantee it’s by no means shared with the HTTPS service or every other community characteristic.
Moreover, organizations are strongly suggested to hunt for the supplied indicators of compromise throughout all VPN and GlobalProtect authentication logs.
As a remaining defensive measure, safety operations facilities ought to deploy related detection guidelines to observe for suspicious GlobalProtect cookie authentication makes an attempt concentrating on native administrator accounts.
Observe us on Google Information, LinkedIn, and X to Get Immediate Updates and Set GBH as a Most well-liked Supply in Google.
