CVE-2026-0257 is an authentication bypass in Palo Alto Networks PAN-OS GlobalProtect portal and gateway, rated CVSS 7.8. Exploitation in the wild has been confirmed since May 17, 2026. CISA added it to the Known Exploited Vulnerabilities catalog on May 29 with a patch deadline of June 1 for federal agencies. Palo Alto has confirmed active exploit attempts against unpatched devices.

What the bug is

GlobalProtect supports an "authentication override cookie" feature that lets a returning endpoint skip re-authentication. When this feature is enabled, the portal generates an encrypted cookie tied to the user session. The encryption uses a certificate that, in many deployments, is the same certificate used for the HTTPS service of the portal or gateway.

That certificate sharing is the problem. The HTTPS certificate's public key is visible to anyone who connects to the portal. An attacker can use it to forge a valid authentication override cookie without ever presenting credentials. PAN-OS accepts the forged cookie, decrypts it, and extracts the embedded username, domain, host ID, client OS, and IP without verifying any signature. The result is an unauthorized VPN session authenticated as a legitimate user.

The feature is not enabled by default. It requires explicit configuration. That limits the attack surface but does not make exploitation rare: the feature is common in enterprise deployments because it reduces re-authentication friction.

What attackers are doing

Rapid7 observed the first exploitation on May 17, 2026, from Vultr-hosted infrastructure. A second wave followed on May 21 from IPs on Dromatics Systems. Both waves share a spoofed MAC address of aa:bb:cc:dd:ee:ff and register the connecting machine as GP-CLIENT (Linux) or DESKTOP-GP01 (Windows).

The indicator to look for in GlobalProtect authentication logs is Cookie as the authentication method for admin or privileged accounts arriving from external IPs. A typical log entry shows auth latency around 78ms with a local auth profile, despite no legitimate local session existing for that user from that IP.

Affected versions

The following PAN-OS versions are vulnerable:

  • 10.2: all versions below 10.2.7-h34 through 10.2.18-h6
  • 11.1: all versions below 11.1.15
  • 11.2: all versions below 11.2.4-h17, 11.2.7-h14, 11.2.10-h7, or 11.2.12
  • 12.1: versions below 12.1.4-h6 or below 12.1.7

Prisma Access is affected in equivalent version ranges. Cloud NGFW and Panorama are not affected.

What to do

Patch first. Minimum fixed versions: 10.2.18-h6, 11.1.15, 11.2.12, 12.1.7 (or equivalent hotfix releases listed in the advisory).

After upgrading, users will be prompted to re-authenticate once. This is expected: the patch regenerates cookies with a new signing mechanism.

If you cannot patch immediately, two workarounds are available:

  1. Disable authentication override entirely. In GlobalProtect portal and gateway configuration, uncheck both the cookie generation and cookie acceptance options.

  2. Generate a dedicated certificate exclusively for authentication override cookies. Do not reuse the portal or gateway HTTPS certificate. This closes the public-key extraction vector without disabling the feature.

Check your logs. Look for authentication events showing Cookie as the method from external IPs you do not recognize, especially against admin accounts. The MAC address aa:bb:cc:dd:ee:ff and hostnames GP-CLIENT or DESKTOP-GP01 are specific indicators from the confirmed campaign.

The full vendor advisory is at security.paloaltonetworks.com/CVE-2026-0257. Rapid7's exploitation details are in their ETR post.