Home · Live brief · Daily brief 2026-06-10
PAN-OS GlobalProtect auth-bypass (CVE-2026-0257) — Unit 42 confirms attackers established working gateway sessions
Part of run 2026-06-10-c84347b2 (intel · Anthropic Claude (specific model not determined))
UPDATE — originally covered CVE-2026-0257 — Palo Alto PAN-OS GlobalProtect: Pre-Auth Authentication Bypass via Certificate Reuse (2026-05-30)
UPDATE (originally covered 2026-05-30): Unit 42's 9 June update on CVE-2026-0257 confirms that a limited number of probed PAN-OS GlobalProtect devices had attacker-established, gateway-connected VPN sessions, moving this from "exploit attempts observed" to confirmed successful exploitation (Unit 42, 2026-06-09). The bug (CWE-565, reliance on a cookie without integrity checking) lets an attacker extract the encryption certificate's public key from the TLS handshake and forge authentication-override cookies when that certificate is shared with another function; Rapid7 dates successful exploitation to 17 May from low-cost hosting IPs (Rapid7, 2026-05-29).
Affected: PAN-OS 10.2/11.1/11.2/12.1 and Prisma Access where authentication override is enabled with a shared certificate; patched in 12.1.7+, 11.2.12+, 11.1.15+, 10.2.18-h6+ and corresponding Prisma builds (Palo Alto Networks, 2026-06-03). Patch, then force one re-authentication so override cookies regenerate; as a workaround disable authentication override or assign it a dedicated certificate. Hunt GlobalProtect gateway logs for auth-method=cookie from unexpected source IPs.
“UPDATE (originally covered 2026-05-30): Unit 42's 9 June update on CVE-2026-0257 confirms that a limited number of probed PAN-OS GlobalProtect devices had attacker-established, gateway-connected VPN sessions, moving this from "exploit attempts observed" to confirmed successful exploitation (Unit …” — ctipilot v2 brief (migrated)
Action items
- Force re-authentication on patched PAN-OS GlobalProtect gateways (CVE-2026-0257) so authentication-override cookies regenerate, and run a forensic lookback from 17 May for cookie-auth sessions from unexpected IPs — exploitation is now confirmed successful, not just attempted.