PAN-OS, Palo Alto Networks, GlobalProtect, Authentication Bypass, CVE-2026-0257, KEV
Source Material: Palo Alto Networks, CISA KEV | Technology: Palo Alto Networks PAN-OS Global Protect & Prisma Access | Targeted Industries: Opportunistic
Executive Summary
CISA, incident responders, and threat intelligence analysts have confirmed active, in-the-wild exploitation of CVE-2026-0257 by multiple distinct threat clusters. This vulnerability affects the 10.2, 11.1, 11.2, and 12.1 release branches of PAN-OS, as well as Prisma Access 10.2.0 – 10.2.10-h and Prisma Access 11.2.0 – 11.2.7-h. Administrators are advised to immediately apply the official vendor hotfixes as designated in the vendor’s official advisory.
A proof-of-concept (PoC) was made available via public GitHub repositories this week. The availability of this PoC lowers the barrier to entry, enabling a broader range of threat actors to target vulnerable infrastructure. Exploitation relies on a specific PAN-OS configuration. The vulnerability only affects perimeter firewalls where the GlobalProtect portal or gateway enables authentication override cookies, specifically environments checking “Generate cookie for authentication override” or “Accept cookie for authentication override” alongside a susceptible certificate configuration. If you run an affected version, immediate audit of this configuration state is recommended.
Threat Overview and Strategic Impact
CVE-2026-0257 allows threat actors to exploit the authentication override functionality to bypass gateway authentication. The authentication override cookie was designed to reduce MFA fatigue. It issues a cryptographic token proving prior authentication so users can reconnect without constant prompts. However, PAN-OS fails to properly validate the cryptographic authenticity of these client-supplied session tokens (CWE-565). A remote attacker can craft malicious HTTP requests to trick the GlobalProtect gateway into accepting a completely unauthenticated connection.
Edge devices like VPN concentrators and firewalls remain prime targets because they sit outside traditional EDR coverage and often suffer patching delays due to uptime constraints. Threat actors are weaponizing perimeter flaws faster than ever. Following the public release of the PoC, organizations should anticipate an increase in automated scanning and exploitation attempts. Successful compromise facilitates internal network reconnaissance, Active Directory enumeration, and subsequent payload deployment.
Security Hardening and Recommendations
The most effective mitigation against CVE-2026-0257 is to update vulnerable systems immediately. Administrators are advised to apply the official vendor hotfixes (e.g., PAN-OS 11.1.13-h5) across all affected 10.2, 11.1, 11.2, and 12.1 release branches, as well as affected Prisma Access deployments. Please consult the vendor advisory for the exact hotfix version corresponding to your specific PAN-OS branch or Prisma Access environment. Applying the hotfix introduces a secure HMAC methodology (enable-auth-override-cookie-hmac), which forces all GlobalProtect users to re-authenticate and invalidates forged cookies.
If immediate patching is not feasible due to operational constraints, customers can mitigate the risk by taking either of the following actions:
- Disable Authentication Override: Uncheck the Authentication Override options (for generating and accepting cookies) in the GlobalProtect portal and gateway configuration.
- Use a Dedicated Certificate for Authentication Override Cookies: Generate a new certificate exclusively for authentication override cookies and store it securely. Do not reuse the portal or gateway certificate, and do not share this certificate with other features or users.
Detection Strategy
Apply anomaly detection to all GlobalProtect and Prisma Access session data. Monitor for session establishments from geographically improbable IP addresses, known malicious ASNs, or commercial VPN exit nodes. Check the HTTP headers and user-agent strings hitting the portal. Public PoC exploits often rely on hardcoded, non-standard Python or Go user agents that stand out sharply against legitimate GlobalProtect and Prisma Access client signatures. Post-exploitation hunts should isolate the internal VPN IP pool and look for rapid network scanning or anomalous Active Directory queries.
How Deepwatch Protects Our Customers
Deepwatch correlates perimeter firewall telemetry, identity authentication logs, and endpoint data to catch the subtle indicators of an authentication bypass. We continually refine our custom correlation rules to identify suspicious activity. We also leverage anomaly detection to flag impossible travel scenarios and suspicious user-agent strings hitting public-facing VPN infrastructure. Alongside automated alerts, our threat hunting teams periodically execute targeted campaigns across customer environments to retroactively identify potential pre-disclosure exploitation.
Relevant Detections
Please visit Security Center to access the relevant detections for this activity.
Threat Hunting Leads
- Discrepancy Analysis: Cross-correlate network access logs with Identity Provider (IdP) logs. A VPN session that exists in the firewall telemetry but lacks a corresponding authentication success event in the IdP represents a critical anomaly. Baseline against historical override usage to filter false positives. Conduct a discrepancy analysis of firewall telemetry. Specifically, filter for the “GlobalProtect Gateway Authentication” log event and cross-reference these entries against your identity provider (IdP) or central authentication logs to identify bypass attempts.
- Geolocation & Impossible Travel: Isolate external IP addresses establishing GlobalProtect sessions. Flag connections from high-risk regions outside your operational footprint, or temporal anomalies where a user authenticates to a cloud service and a VPN from geographically distant locations simultaneously.
- User-Agent Heuristics: Analyze Layer 7 traffic directed at /global-protect/getconfig.esp and /ssl-vpn/login.esp. Look for default programming libraries (python-requests, Go-http-client) or entirely blank User-Agent fields. Monitor for anomalous or unexpected User-Agent strings associated with client-supplied session tokens. Specifically, hunt for suspicious requests containing the Cookie: authcookie=[value] header originating from unmanaged devices or unexpected infrastructure.
- Cryptographic Downgrades: In post-patch environments, monitor firewall system logs for abnormal spikes in cookie decrypt errors. This strongly indicates attackers attempting to fire legacy exploits at a hardened gateway.
- Internal Reconnaissance: Treat the internal VPN IP pool as a potential source of compromise. Query NetFlow or firewall logs for single VPN IPs conducting horizontal port scans against internal subnets on administrative ports (SMB, RDP, SSH, WinRM).
- Endpoint Credential Dumping: Monitor Active Directory logs for excessive LDAP queries or Kerberos Service Ticket requests originating from the VPN pool. Look for BloodHound/SharpHound execution or attempts to mount hidden shares (C$, ADMIN$) on domain controllers.
Technical Artifacts
Please visit Security Center to access the associated technical artifacts.
Threat Object Mapping
Intrusion Set:
- Active, in-the-wild exploitation is currently attributed to a mix of Initial Access Brokers (IABs), Ransomware-as-a-Service (RaaS) affiliates, and unnamed state-sponsored espionage clusters.
Attack Pattern (MITRE ATT&CK):
| Tactic | Technique | Technique ID | Associated Threat Activity |
| Initial Access | Exploit Public-Facing Application | T1190 | Automated internet-wide scanning and exploitation of the internet-facing GlobalProtect portal. |
| Initial Access | External Remote Services | T1133 | Subverting the legitimate VPN service to hide initial ingress within encrypted telecommuting traffic. |
| Defense Evasion | Valid Accounts | T1078 | Bypassing primary credentials to operate under the assumed security context of the hijacked profile. |
| Defense Evasion | Use Alternate Authentication Material: Web Cookies | T1550.004 | Leveraging the firewall’s validation failure to use manipulated tokens as alternate authentication material. |
| Lateral Movement | Exploitation of Remote Services | T1210 | Pivoting from the trusted internal VPN pool to scan subnets and exploit internal servers. |
| Discovery | Network Service Discovery | T1046 | Horizontal scanning from the VPN client IP to locate domain controllers and sensitive data repositories. |
Vulnerabilities:
- CVE-2026-0257
Malware/Tool:
- Initial exploitation relies on bespoke Python or Go scripts heavily modified from public GitHub PoCs to evade signature detection. Post-compromise activity heavily features Cobalt Strike for C2, BloodHound/SharpHound for Active Directory mapping, and custom PowerShell scripts for lateral movement.
Additional Sources
- https://www.sentinelone.com/vulnerability-database/cve-2026-0257/
- https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/
Share