ctipilot.ch

Home · Live brief · Daily brief 2026-05-30

CVE-2026-0257: PAN-OS GlobalProtect Pre-Auth VPN Authentication Bypass

notable vulnerability discovered 2026-05-30 05:00 UTC deep dive

Part of run 2026-05-30-aca445cc (intel · Claude Sonnet 4.6)

Background. GlobalProtect is Palo Alto Networks' SSL-VPN solution embedded in PAN-OS and widely deployed as the internet-facing VPN gateway for enterprise and government networks. The authentication override feature, introduced to support certain SSO and clientless configurations, allows a GlobalProtect portal or gateway to issue signed cookies that bypass the normal MFA/SAML authentication flow on subsequent connections — trading off per-session authentication strength for session-persistence smoothness. Palo Alto's own security advisories (AA23-250A, AA24-075A) have repeatedly highlighted GlobalProtect as a target surface; this vulnerability is the most directly exploitable advisory in that series.

Vulnerability mechanics. CVE-2026-0257 is classified CWE-565 (Reliance on Cookies Without Validation and Integrity Checking). When authentication override is enabled and the GlobalProtect portal or gateway shares an X.509 certificate with another co-hosted service — most commonly the HTTPS management or captive-portal service — that certificate's public key is retrievable by any external party simply by connecting to the HTTPS service and inspecting the TLS handshake. Palo Alto's auth-override cookie uses that same certificate to sign and encrypt session tokens. An attacker who extracts the public key can derive the encryption material needed to mint a valid authentication override cookie, then present it to the GlobalProtect service to authenticate as any user without possessing the user's credentials. The attack requires no prior foothold; the only pre-condition is network reachability to the GlobalProtect portal or gateway and the presence of a shared certificate — a configuration that has historically been documented in Palo Alto's own deployment guides as a shortcut for certificate management.

Exploitation pattern. Rapid7 MDR observed two exploitation waves (Rapid7 ETR, 2026-05-29). Wave 1 (18 May): sourced from Vultr-hosted infrastructure, machine name GP-CLIENT (Linux). Wave 2 (21 May): sourced from Dromatics Systems IP space, machine name DESKTOP-GP01 (Windows). Both used a deliberately spoofed, easily-recognisable MAC address pattern — suggesting deliberate source-normalisation to defeat MAC-based network anomaly detection. Rapid7 observed successful VPN session establishment but no confirmed lateral movement in the monitored environments. A public PoC (github.com/sfewer-r7/CVE-2026-0257) was released on 29 May, the same day CISA added the CVE to KEV. The gap between the exploitation waves (18 and 21 May) and the PoC/KEV date (29 May) implies the actor possessed private pre-disclosure knowledge of the vulnerability.

MITRE ATT&CK mapping. Initial access: T1133 (External Remote Services — GlobalProtect VPN endpoint). Credential access: T1539 (Steal Web Session Cookie, here applied to auth-override cookie forging rather than theft). Defence evasion: T1036.005 (Masquerading: Match Legitimate Name or Location — spoofed machine name DESKTOP-GP01). Lateral movement: T1021.001 (Remote Services: Remote Desktop Protocol — expected next step once inside the network segment); T1046 (Network Service Discovery — attacker-controlled GP-CLIENT enumerating accessible segments).

Affected and patched versions. Affected: PAN-OS 10.2.x < 10.2.7-h34 (and maintenance tracks), 11.1.x < 11.1.4-h33, 11.2.x < 11.2.4-h17, 12.1.x < 12.1.4-h6. Not affected: Panorama, Cloud NGFW, Prisma SD-WAN, PA-Series managed by Panorama with no local GP config, PAN-OS < 10.2.x (EOL). Fixed: the full version matrix per PAN-OS maintenance branch is in the vendor advisory. Prisma Access 10.2 and 11.2: Palo Alto is rolling fixes; check Prisma Access status portal.

Detection. GlobalProtect connection logs: look for authentication events with auth_method: cookie from IP addresses not previously associated with the authenticated username or the organisation's VPN-client pool. Cookie-based auth events from brand-new source IPs without a preceding web-based MFA event warrant immediate investigation. PAN-OS system logs: globalprotectgateway-config-succ events authenticated via cookie from non-enrolled endpoints (no prior SCEP or Panorama device-cert association). Network: VPN sessions with a deliberately spoofed MAC address pattern reused across geographically-disparate source IPs (trivially detectable from GlobalProtect connection metadata) are a strong indicator of this attack pattern; MAC-based anomaly detection in the VPN segment should alert. SIEM correlation: chain cookie-auth events to downstream firewall allow policies allowing that VPN IP to reach sensitive segments, and alert when a new-IP cookie-auth session moves east-west within minutes.

Hardening / mitigation. Immediate: upgrade PAN-OS to the fixed versions per the vendor advisory. If patching cannot be completed within 24 hours: (a) disable authentication override cookies entirely in the GlobalProtect gateway and portal settings (Authentication > No Cookie Required on Pre-Logon Connections); this forces per-session MFA but removes the attack surface. (b) If auth-override cookies are required: generate a dedicated certificate for GlobalProtect used exclusively for that service and not shared with the HTTPS management or any other feature. This removes the public-key extraction path. Verify via show system info and show sslmgr-store that the GlobalProtect GP cert and the HTTPS service cert are distinct objects. Prisma Access organisations: apply any available Prisma Access emergency fix and validate the Prisma Access security advisory for tenant-specific remediation steps.

“Background.” — ctipilot v2 brief (migrated)

vulnerabilities actively-exploited pre-auth auth-bypass cisa-kev patch-available global CVE-2026-0257