PAN-OS GlobalProtect pre-auth authentication bypass

Authentication override cookies in PAN-OS GlobalProtect are encrypted using the portal or gateway certificate. When that same certificate is shared with another service (most commonly the HTTPS service — a non-default but operationally common configuration), an unauthenticated attacker can extract the certificate's public key from the HTTPS service and forge valid authentication override cookies, obtaining a full VPN session without credentials (Palo Alto Networks PSIRT, 2026-05-29). Root cause: CWE-565 (Reliance on Cookies Without Validation and Integrity Checking). CVSS 4.0 = 7.8 HIGH (Exploit Maturity: ATTACKED). Affected: PAN-OS 10.2.x, 11.1.x, 11.2.x, 12.1.x; Prisma Access 10.2 and 11.2; Panorama and Cloud NGFW are not affected. Rapid7 MDR observed two exploitation waves — 18 May from Vultr-hosted infrastructure, 21 May from Dromatics Systems IP space — both sharing a deliberately spoofed, easily-recognisable MAC address pattern and machine names GP-CLIENT (Linux) and DESKTOP-GP01 (Windows), indicating a single actor (Rapid7 ETR, 2026-05-29). A public PoC is available. CISA added CVE-2026-0257 to KEV on 29 May. Detection: GlobalProtect connection logs with cookie-based auth-override events sourced from unexpected IP blocks; sessions authenticating without prior MFA web-step; PCAP anomaly of identical MAC across geographically-disparate sessions. Immediate remediation: upgrade to fixed PAN-OS versions (10.2.7-h34+, 11.1.4-h33+, 11.2.4-h17+, 12.1.4-h6+ and subsequent maintenance releases — full version table in the vendor advisory); or disable authentication override cookies; or assign an exclusive certificate to GlobalProtect not shared with any other service.