Palo Alto PAN-OS Authentication Bypass Vulnerability Actively Exploited in the Wild

A critical authentication-bypass vulnerability affecting Palo Alto Networks PAN-OS and Prisma Access is being actively exploited by malicious actors.

In response to mounting attacks, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog on May 29, 2026.

While the flaw carries a medium CVSSv4 score, security researchers at Rapid7 are urging organizations to treat this as a critical-priority threat requiring immediate remediation.

Palo Alto Networks initially disclosed CVE-2026-0257 on May 13, 2026. The vulnerability allows a remote, unauthenticated attacker to forge authentication override cookies and establish unauthorized VPN connections through the GlobalProtect gateway.

This flaw lies in a non-default “authentication override” feature that issues session cookies to authenticated users, eliminating the need for repeated logins.

The vulnerability is triggered when the certificate used to encrypt these cookies is shared with another service, such as the portal’s HTTPS service.

Because the decryption process within the /usr/local/bin/gpsvc binary performs no signature verification; an attacker who extracts the public key from the exposed HTTPS certificate can easily forge a valid cookie and bypass authentication entirely.

Rapid7 researchers observed the earliest confirmed exploitation of this flaw on May 17, 2026. During this initial wave, attackers initiated suspicious cookie-based authentication requests to local admin accounts across multiple customer environments.

The malicious traffic originated from IP addresses hosted on Vultr. Attackers masqueraded as legitimate endpoints by utilizing the machine name GP-CLIENT alongside a spoofed MAC address.

A second wave of attacks commenced on May 21, 2026, originating from the hosting provider Dromatics Systems.

In this phase, threat actors used the machine name DESKTOP-GP01 and successfully secured full VPN IP assignments in some compromised environments, granting them direct access to internal networks.

The consistent use of the same spoofed MAC address across both campaigns strongly indicates a single threat actor is orchestrating these attacks. Notably, eight out of ten impacted Rapid7 MDR customers experienced only authentication probes rather than full VPN session establishment.

Indicators of Compromise

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.

Administrators must immediately upgrade affected PAN-OS and Prisma Access instances to secure releases to prevent network compromise.

For organizations utilizing PAN-OS, key fixed versions include 12.1.4-h6, 12.1.7, 11.2.12, 11.1.15, and 10.2.18-h6. Those deploying Prisma Access version 11.2.0 must upgrade to 11.2.7-h13 or later, while environments running version 10.2.0 must upgrade to 10.2.10-h36 or later.

Mitigation

To secure environments against this threat, administrators should first disable the authentication override feature entirely if it is not a strict operational requirement.

If the feature must remain active, security teams need to generate a dedicated certificate exclusively for encrypting authentication override cookies and ensure it is never shared with the HTTPS service or any other network feature.

Additionally, organizations are strongly advised to hunt for the provided indicators of compromise across all VPN and GlobalProtect authentication logs.

As a final defensive measure, security operations centers should deploy relevant detection rules to monitor for suspicious GlobalProtect cookie authentication attempts targeting local administrator accounts.

Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.