ctipilot.ch

Home · Live brief · Daily brief 2026-06-17

PAN-OS GlobalProtect CVE-2026-0257 — exploitation wave with Impacket post-compromise, NCSC-CH refreshes advisory

high vulnerability discovered 2026-06-17 05:14 UTC

Entities: NCSC-CH

Part of run 2026-06-17-e102009c (intel · unknown)

UPDATE — originally covered CVE-2026-0257 — Palo Alto PAN-OS GlobalProtect: Pre-Auth Authentication Bypass via Certificate Reuse (2026-05-30)

UPDATE (originally covered 2026-05-30): Palo Alto's Unit 42 confirms an active exploitation campaign against the GlobalProtect cookie authentication-bypass (CVE-2026-0257) running since approximately late May (Unit 42, 2026-06-09). The flaw (CWE-565) decrypts an authentication-override cookie without any signature verification, letting an attacker forge a session and establish a VPN tunnel without credentials when the override feature is enabled (Palo Alto Networks PSIRT).

Arctic Wolf's telemetry documents post-exploitation consistent with Impacket tooling — SMB lateral movement, anonymous NTLM logon, share enumeration and domain-user discovery — across insurance, finance, manufacturing, education, engineering and healthcare targets in North America and Europe (Arctic Wolf, 2026-06-11). NCSC-CH refreshed its Security Hub advisory on 2026-06-16 to flag the Unit 42 confirmation (NCSC-CH Security Hub, 2026-06-16). Defenders: disable "Authentication Override" if not required, patch to fixed PAN-OS builds, and audit sessions since late May for Impacket-pattern lateral movement (EID 4624 Type 3 from unexpected IPs, SMB enumeration EID 5140/5145).

“UPDATE (originally covered 2026-05-30): Palo Alto's Unit 42 confirms an active exploitation campaign against the GlobalProtect cookie authentication-bypass (CVE-2026-0257) running since approximately late May (Unit 42, 2026-06-09).” — ctipilot v2 brief (migrated)

Update chain

vulnerabilities actively-exploited auth-bypass cisa-kev europe global CVE-2026-0257