UPDATE: PAN-OS GlobalProtect auth-bypass (CVE-2026-0257) — Unit 42 confirms attackers established working gateway sessions

UPDATE (originally covered 2026-05-30): Unit 42's 9 June update on CVE-2026-0257 confirms that a limited number of probed PAN-OS GlobalProtect devices had attacker-established, gateway-connected VPN sessions, moving this from "exploit attempts observed" to confirmed successful exploitation (Unit 42, 2026-06-09). The bug (CWE-565, reliance on a cookie without integrity checking) lets an attacker extract the encryption certificate's public key from the TLS handshake and forge authentication-override cookies when that certificate is shared with another function; Rapid7 dates successful exploitation to 17 May from low-cost hosting IPs (Rapid7, 2026-05-29).

Affected: PAN-OS 10.2/11.1/11.2/12.1 and Prisma Access where authentication override is enabled with a shared certificate; patched in 12.1.7+, 11.2.12+, 11.1.15+, 10.2.18-h6+ and corresponding Prisma builds (Palo Alto Networks, 2026-06-03). Patch, then force one re-authentication so override cookies regenerate; as a workaround disable authentication override or assign it a dedicated certificate. Hunt GlobalProtect gateway logs for auth-method=cookie from unexpected source IPs.