CVE-2026-0257: PAN-OS GlobalProtect Authentication Bypass Exploited in the Wild

CVE-2026-0257 is an authentication bypass in Palo Alto Networks PAN-OS and Prisma Access GlobalProtect portal and gateway functionality, rated medium severity by CVSSV4 but actively exploited and added to the CISA Known Exploited Vulnerabilities catalog on May 29, 2026. Cloud NGFW is not affected. The vulnerability arises from a specific configuration combination: when the Cloud Authentication Service is disabled, authentication override cookies are enabled on the portal or gateway, and the certificate used for cookie encryption reuses material from the device's HTTPS service. Under these conditions, the TLS certificate's public key is accessible to any client completing a TLS handshake with the device. Attackers forge valid authentication override cookies using that public key, which the portal decrypts and trusts without any signature verification, bypassing all authentication controls including multi-factor authentication.

Rapid7 MDR observed active exploitation beginning May 17, 2026, four days after Palo Alto Networks published the advisory. Two distinct exploitation waves were detected, both originating from commodity cloud hosting provider infrastructure and authenticating via the Cookie method to local administrator accounts without valid credentials. Both waves used a consistent spoofed MAC address across all authentication events, forensically linking the two campaigns despite their different source infrastructure. Client hostnames present in the exploit traffic were generic system defaults rather than real workstation names, indicating automated tooling rather than interactive operator sessions.

In a subset of compromised environments, attackers progressed from authentication testing to establishing full VPN tunnels with assigned internal IP addresses, gaining direct access to the internal network. No lateral movement beyond initial VPN access was observed at time of reporting. Organizations unable to patch immediately have two workaround options: disable authentication override cookies entirely, or replace the shared certificate with one dedicated exclusively to cookie encryption and not reused for the portal or gateway HTTPS service.