ctipilot.ch

PAN-OS GlobalProtect pre-auth authentication bypass

cve · CVE-2026-0257

Coverage timeline
6
first 2026-05-25 → last 2026-06-22
Peak priority
critical
1 critical · 2 high · 3 notable
Sources cited
5
5 hosts
Sections touched
5
deep-dive, trending-vulnerabilities, updates
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
5
pinned v19.1 · see below

ATT&CK techniques

5 techniques observed across 1 entry — derived from entry metadata and body evidence, never asserted without a published entry behind it · pinned to MITRE ATT&CK v19.1 · compare on the matrix · Navigator layer (JSON)

Initial Access TA0001

T1133External Remote Services×1

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.

Evidence: 2026-05-30/cve-2026-0257-pan-os-globalprotect-pre-auth-vpn-authenticati · ATT&CK page ↗

Persistence TA0003

T1133External Remote Services×1

Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as VPNs, Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management and VNC can also be used externally.

Evidence: 2026-05-30/cve-2026-0257-pan-os-globalprotect-pre-auth-vpn-authenticati · ATT&CK page ↗

Stealth TA0005

T1036.005Masquerading: Match Legitimate Resource Name or Location×1

Adversaries may match or approximate the name or location of legitimate files, Registry keys, or other resources when naming/placing them. This is done for the sake of evading defenses and observation.

Evidence: 2026-05-30/cve-2026-0257-pan-os-globalprotect-pre-auth-vpn-authenticati · ATT&CK page ↗

Credential Access TA0006

T1539Steal Web Session Cookie×1

An adversary may steal web application or service session cookies and use them to gain access to web applications or Internet services as an authenticated user without needing credentials. Web applications and services often use session cookies as an authentication token after a user has authenticated to a website.

Evidence: 2026-05-30/cve-2026-0257-pan-os-globalprotect-pre-auth-vpn-authenticati · ATT&CK page ↗

Discovery TA0007

T1046Network Service Discovery×1

Adversaries may attempt to get a listing of services running on remote hosts and local network infrastructure devices, including those that may be vulnerable to remote software exploitation. Common methods to acquire this information include port, vulnerability, and/or wordlist scans using tools that are brought onto a system.

Evidence: 2026-05-30/cve-2026-0257-pan-os-globalprotect-pre-auth-vpn-authenticati · ATT&CK page ↗

Lateral Movement TA0008

T1021.001Remote Services: Remote Desktop Protocol×1

Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.

Evidence: 2026-05-30/cve-2026-0257-pan-os-globalprotect-pre-auth-vpn-authenticati · ATT&CK page ↗

Story timeline

  1. 2026-06-22CVE-2026-0257 — Palo Alto Networks PAN-OS GlobalProtect: authentication bypass under active exploitation
    weekly-vuln-rollup
  2. 2026-06-17PAN-OS GlobalProtect CVE-2026-0257 — exploitation wave with Impacket post-compromise, NCSC-CH refreshes advisory
    updates
  3. 2026-06-10PAN-OS GlobalProtect auth-bypass (CVE-2026-0257) — Unit 42 confirms attackers established working gateway sessions
    updates
  4. 2026-05-30CVE-2026-0257: PAN-OS GlobalProtect Pre-Auth VPN Authentication Bypass
    deep-dive
  5. 2026-05-30CVE-2026-0257 — Palo Alto PAN-OS GlobalProtect: Pre-Auth Authentication Bypass via Certificate Reuse
    trending-vulnerabilities
  6. 2026-05-25CVE-2026-0257 — Palo Alto PAN-OS GlobalProtect pre-auth authentication bypass, exploited in two waves by the same actor
    weekly-top-stories

Where this entity is cited

  • updates2
  • weekly-top-stories1
  • trending-vulnerabilities1
  • deep-dive1
  • weekly-vuln-rollup1

Source distribution

  • arcticwolf.com1 (20%)
  • rapid7.com1 (20%)
  • security-hub.ncsc.admin.ch1 (20%)
  • security.paloaltonetworks.com1 (20%)
  • unit42.paloaltonetworks.com1 (20%)

explore in graph

Entries about PAN-OS GlobalProtect pre-auth authentication bypass (6)

2026-06-22 · view entry permalink →

NOTABLECVE-2026-0257exploited

CVE-2026-0257 — Palo Alto Networks PAN-OS GlobalProtect: authentication bypass under active exploitation

First disclosed in May and KEV-listed on 2026-05-29, the GlobalProtect portal/gateway authentication bypass moved into a confirmed exploitation wave this week. Unit 42 observed active exploitation by an unidentified actor attempting to access GlobalProtect, with Arctic Wolf reporting increasing exploitation volume and NCSC-CH refreshing its advisory on 2026-06-16 (Unit 42; daily 06-17). Notably, Unit 42 states no post-access lateral movement had been identified as of its analysis — so the current operational signal is unauthorised VPN session establishment, not yet confirmed downstream compromise. Patch to the fixed PAN-OS trains, and hunt GlobalProtect logs for authentications that bypass the expected portal flow.

Palo Alto Networks Unit 42 has observed active exploitation of PAN-OS vulnerability CVE-2026-0257 by an unidentified threat actor attempting to access GlobalProtect.

No post-access behavior or lateral movement has been identified as of this time.

Unit 42
vulnerability22 Jun 00:14Zmulti-sourceOpen finding ↗

2026-06-17 · view entry permalink →

HIGHCVE-2026-0257exploitedupdate

PAN-OS GlobalProtect CVE-2026-0257 — exploitation wave with Impacket post-compromise, NCSC-CH refreshes advisory

UPDATE · originally covered CVE-2026-0257 — Palo Alto PAN-OS GlobalProtect: Pre-Auth Authentication Bypass via Certificate Reuse (2026-05-30)

Palo Alto's Unit 42 confirms an active exploitation campaign against the GlobalProtect cookie authentication-bypass (CVE-2026-0257) running since approximately late May (Unit 42, 2026-06-09). The flaw (CWE-565) decrypts an authentication-override cookie without any signature verification, letting an attacker forge a session and establish a VPN tunnel without credentials when the override feature is enabled (Palo Alto Networks PSIRT).

Arctic Wolf's telemetry documents post-exploitation consistent with Impacket tooling — SMB lateral movement, anonymous NTLM logon, share enumeration and domain-user discovery — across insurance, finance, manufacturing, education, engineering and healthcare targets in North America and Europe (Arctic Wolf, 2026-06-11). NCSC-CH refreshed its Security Hub advisory on 2026-06-16 to flag the Unit 42 confirmation (NCSC-CH Security Hub, 2026-06-16). Defenders: disable "Authentication Override" if not required, patch to fixed PAN-OS builds, and audit sessions since late May for Impacket-pattern lateral movement (EID 4624 Type 3 from unexpected IPs, SMB enumeration EID 5140/5145).

UPDATE (originally covered 2026-05-30): Palo Alto's Unit 42 confirms an active exploitation campaign against the GlobalProtect cookie authentication-bypass (CVE-2026-0257) running since approximately late May (Unit 42, 2026-06-09).

ctipilot v2 brief (migrated)
vulnerability17 Jun 05:14Zmulti-sourceOpen finding ↗

2026-06-10 · view entry permalink →

NOTABLECVE-2026-0257exploitedupdate

PAN-OS GlobalProtect auth-bypass (CVE-2026-0257) — Unit 42 confirms attackers established working gateway sessions

UPDATE · originally covered CVE-2026-0257 — Palo Alto PAN-OS GlobalProtect: Pre-Auth Authentication Bypass via Certificate Reuse (2026-05-30)

Unit 42's 9 June update on CVE-2026-0257 confirms that a limited number of probed PAN-OS GlobalProtect devices had attacker-established, gateway-connected VPN sessions, moving this from "exploit attempts observed" to confirmed successful exploitation (Unit 42, 2026-06-09). The bug (CWE-565, reliance on a cookie without integrity checking) lets an attacker extract the encryption certificate's public key from the TLS handshake and forge authentication-override cookies when that certificate is shared with another function; Rapid7 dates successful exploitation to 17 May from low-cost hosting IPs (Rapid7, 2026-05-29).

Affected: PAN-OS 10.2/11.1/11.2/12.1 and Prisma Access where authentication override is enabled with a shared certificate; patched in 12.1.7+, 11.2.12+, 11.1.15+, 10.2.18-h6+ and corresponding Prisma builds (Palo Alto Networks, 2026-06-03). Patch, then force one re-authentication so override cookies regenerate; as a workaround disable authentication override or assign it a dedicated certificate. Hunt GlobalProtect gateway logs for auth-method=cookie from unexpected source IPs.

UPDATE (originally covered 2026-05-30): Unit 42's 9 June update on CVE-2026-0257 confirms that a limited number of probed PAN-OS GlobalProtect devices had attacker-established, gateway-connected VPN sessions, moving this from "exploit attempts observed" to confirmed successful exploitation (Unit …

ctipilot v2 brief (migrated)
vulnerability10 Jun 05:00Zmulti-sourceOpen finding ↗

Earlier coverage (3)