Critical Authentication Bypass in Palo Alto Networks PAN-OS and Prisma Access (CVE-2026-0257)
A high-stakes authentication bypass vulnerability is currently being leveraged in active exploitation campaigns targeting Palo Alto Networks PAN-OS and Prisma Access environments. Due to the direct risk of unauthorized network entry, the Cybersecurity and Infrastructure Security Agency (CISA) officially added CVE-2026-0257 to its Known Exploited Vulnerabilities (KEV) catalog on May 29, 2026.
While the vulnerability carries a moderate CVSSv4 score, the practical risk is severe. Security researchers at Rapid7 have issued an urgent advisory, categorizing this as a critical-priority threat that demands immediate remediation to prevent lateral movement within enterprise networks.
Technical Deep Dive: The Mechanics of the Bypass
Initially disclosed by Palo Alto Networks on May 13, 2026, CVE-2026-0257 targets a specific, non-default “authentication override” feature. This feature is designed to enhance user experience by issuing session cookies to authenticated users, thereby bypassing the need for repetitive login prompts.
The root cause of the vulnerability lies in a cryptographic implementation flaw within the /usr/local/bin/gpsvc binary. The vulnerability is triggered when the certificate used to encrypt these authentication override cookies is shared with other services, such as the portal’s HTTPS service. Because the decryption logic within the gpsvc binary fails to perform adequate signature verification, the security boundary collapses.
In a practical attack scenario, a remote, unauthenticated attacker can extract the public key from the exposed HTTPS certificate. With this key, they can forge valid authentication override cookies, effectively tricking the GlobalProtect gateway into establishing an unauthorized VPN connection.
Observed Exploitation Patterns
Detailed forensics from Rapid7 researchers have identified two distinct waves of activity:
- Wave 1 (May 17, 2026): Attackers utilized infrastructure hosted on Vultr to launch suspicious cookie-based authentication probes. These attempts specifically targeted local administrator accounts. To blend in with legitimate traffic, the actors used the machine name
GP-CLIENTand spoofed MAC addresses. - Wave 2 (May 21, 2026): A second campaign emerged via Dromatics Systems. In this phase, the threat actors adopted the machine name
DESKTOP-GP01. Notably, this wave saw higher success rates, with some attackers successfully securing full VPN IP assignments, granting them direct access to internal network segments.
The reuse of the same spoofed MAC address across both campaigns strongly suggests a single, coordinated threat actor. Interestingly, while many organizations saw only authentication probes, a subset of targeted environments faced full session establishment.
Indicators of Compromise (IoCs)
Security teams should hunt for the following indicators within VPN and GlobalProtect authentication logs:
| Indicator | Description |
|---|---|
| 104.207.144[.]154 | Threat actor source IP (Wave 1, Vultr) |
| 146.19.216[.]119 / .120 / .125 | Threat actor source IPs (Wave 2, Dromatics) |
| aa:bb:cc:dd:ee:ff | Spoofed MAC address observed in both waves |
| GP-CLIENT | Machine name (Linux-based authentication, May 17) |
| DESKTOP-GP01 | Machine name (Windows-based authentication, May 21) |
Note: IP addresses and domains have been defanged (e.g., using [.]). Please re-fang these identifiers only when importing them into controlled environments such as your SIEM, MISP, or VirusTotal.
Remediation and Mitigation Strategies
Immediate Patching
The most effective defense is to upgrade to the patched versions provided by Palo Alto Networks. Ensure your environment is running one of the following or later:
- PAN-OS: 12.1.4-h6, 12.1.7, 11.2.12, 11.1.15, or 10.2.18-h6
- Prisma Access: 11.2.7-h13 (for version 11.2.0 users) or 10.2.10-h36 (for version 10.2.0 users)
Configuration Hardening
If immediate patching is not feasible, implement the following workarounds:
- Disable Authentication Override: If this feature is not a strict operational requirement, disable it entirely to close the attack vector.
- Certificate Isolation: If the feature must remain enabled, you must generate a dedicated certificate used exclusively for encrypting authentication override cookies. This certificate must not be shared with the HTTPS service or any other network function.
- Enhanced Monitoring: Deploy detection rules in your SOC to monitor for anomalous GlobalProtect cookie authentication attempts, specifically those targeting local administrator accounts.