The vulnerability identified as CVE-2026-0257 allows attackers to forge authentication cookies for Palo Alto Networks’ GlobalProtect VPN, enabling them to bypass login protections entirely. Although Palo Alto released a fix on May 13, active exploitation was confirmed shortly after by Rapid7 across multiple affected environments.
This security flaw impacts the GlobalProtect portal and gateway components within PAN-OS. By exploiting it, attackers can circumvent authentication mechanisms and create unauthorized VPN sessions. Notably, the issue does not affect Panorama or Cloud NGFW systems.
At the core of the problem is a common misconfiguration: when organizations use the same certificate for both HTTPS services and cookie encryption. In such cases, attackers can extract the public key directly from HTTPS communications. With this key, they can generate valid authentication cookies for any account including administrative users without needing credentials.
Rapid7 demonstrated the severity of the issue by developing a proof-of-concept exploit. The process involves retrieving the certificate chain, identifying usable keys, generating forged cookies, and testing access all within seconds on vulnerable systems.
The vulnerability exists because the system improperly trusts decrypted cookie data. Specifically, once a cookie is decrypted using the private key, no additional verification or signature checks are performed, meaning maliciously crafted cookies are accepted as legitimate.
Rapid7 began detecting real-world attacks on May 18, 2026. The initial wave originated from infrastructure associated with the hosting provider Vultr. Logs revealed attackers successfully authenticating as local administrators using forged cookies. The activity included consistent identifiers such as the hostname “GP-CLIENT,” a Linux environment, and a spoofed MAC address of aa:bb:cc:dd:ee:ff.
A second wave followed on May 21, this time originating from Dromatics Systems. Attackers used a different hostname, “DESKTOP-GP01,” but retained the same spoofed MAC address. Based on this consistency, Rapid7 concluded with high confidence that both attack waves were conducted by the same threat actor.
In this second phase, some victims experienced full VPN access being granted, meaning the attacker successfully connected to internal networks. However, not all affected systems behaved the same; while most accepted the fraudulent cookies, only a subset established complete VPN sessions. The reason for this inconsistency remains unknown.
The vulnerability is only exploitable under specific conditions. Affected systems typically shared the following configurations:
- The Cloud Authentication Service was disabled
- Authentication override cookies were enabled
- The same certificate was used for both HTTPS and cookie encryption
Organizations not meeting these conditions are not at risk. However, those that do are strongly urged to take immediate action.
Mitigation steps include updating to a patched version of PAN-OS as the primary solution. As temporary measures, organizations can disable the authentication override feature or assign a dedicated certificate exclusively for cookie encryption. Rapid7 has also released a public proof-of-concept tool to help organizations test their systems for exposure. Additionally, indicators of compromise such as attacker IPs and known hostnames have been provided to assist in detection.
Initially, Palo Alto rated this vulnerability as medium severity due to its dependency on specific configurations. Rapid7, however, has strongly disagreed with this assessment, arguing that any flaw that enables authentication bypass on an internet-facing VPN granting direct network access should be treated as a critical risk.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
