← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-0257 · CWE-565 · Disclosed 2026-05-13

Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS®…

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a guest badge printer that starts minting employee passes when you reuse the wrong signing stamp

CVE-2026-0257 is an authentication bypass in Palo Alto PAN-OS GlobalProtect portal/gateway and corresponding Prisma Access releases. The bug lives in authentication override cookies: on affected builds, if GlobalProtect is configured, auth override cookies are enabled, and the cookie certificate setup is wrong, a remote unauthenticated attacker can forge a cookie and get an unauthorized VPN connection. Affected trains include PAN-OS 10.2, 11.1, 11.2, and 12.1 before the branch-specific fixes Palo Alto published on 2026-05-13 and updated on 2026-06-03.

The raw CVSS 3.1 9.1 / CRITICAL framing overstates enterprise-wide exposure because this is not every PAN-OS box and not every GlobalProtect deployment; the attacker needs a narrow but common-enough configuration mistake. But once you combine internet-facing VPN exposure, no-auth remote reachability, public PoC, and KEV-listed active exploitation, this stops being a medium-or-theoretical bug. Practically, for the subset that is exposed, it behaves like a perimeter identity failure and deserves HIGH priority with immediate action.

"KEV-listed edge VPN auth bypass: config-specific, but if exposed it belongs in the emergency lane."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Reach an exposed GlobalProtect edge

The attacker first identifies a PAN-OS or Prisma Access GlobalProtect portal/gateway reachable over the internet, usually on TCP/443. This is not a management-plane bug; the reachable target is the remote-access VPN service itself.
Conditions required:
  • GlobalProtect portal or gateway is internet-reachable
  • Affected PAN-OS or Prisma Access version is in use
Where this breaks in practice:
  • Many PAN-OS deployments do not publish GlobalProtect externally
  • Some organizations front the service with IP allowlists or geographic restrictions
Detection/coverage: External attack-surface tooling will usually see the GlobalProtect endpoint; vendor version and config state still require authenticated validation.
STEP 02

Harvest public key material from TLS

Using the technique documented by Rapid7, the attacker pulls the HTTPS certificate chain from the target and iterates the public keys. If the deployment reused the wrong certificate for authentication override, the public key becomes enough to build a forged cookie candidate.
Conditions required:
  • Authentication override cookies are enabled
  • A specific certificate reuse/misconfiguration exists
Where this breaks in practice:
  • A dedicated auth-override certificate breaks this step
  • Deployments with auth override disabled are not exposed
Detection/coverage: Ordinary TLS handshakes look benign; this step is hard to distinguish from normal internet reconnaissance.
STEP 03

Forge and submit an auth override cookie

A public PoC (sfewer-r7/CVE-2026-0257) can generate forged cookies and test them against the GlobalProtect login workflow. The vulnerable service decrypts and trusts the cookie contents, bypassing the normal credential check.
Conditions required:
  • Attacker can send requests to /ssl-vpn/login.esp or equivalent GlobalProtect auth path
  • Target accepts forged auth override cookie material
Where this breaks in practice:
  • The bug is not fully automatable across all targets because the attacker must hit the right certificate/key path
  • Some observed exploit attempts authenticated but did not complete a full VPN session
Detection/coverage: GlobalProtect auth logs can show login,Cookie events, unusual local account use, generic hostnames, spoofed MACs, and source IPs from low-cost VPS providers.
STEP 04

Land inside the network as a VPN user

Successful exploitation yields an unauthorized VPN session rather than firewall admin or device RCE. Rapid7 observed cases where the appliance assigned a VPN IP, giving the attacker internal network reachability behind the firewall.
Conditions required:
  • Gateway completes VPN assignment after cookie acceptance
  • Internal routing and policy allow useful access from VPN-assigned addresses
Where this breaks in practice:
  • Blast radius depends on what the VPN role/profile can reach
  • Segmentation, NAC, and least-privilege VPN policy can limit follow-on movement
Detection/coverage: VPN concentrator logs, SIEM correlation, and NAC telemetry are the best places to catch the post-authentication phase; EDR only helps after the attacker pivots to a managed endpoint.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusYes. Palo Alto says it is aware of limited exploit attempts, and Rapid7 says it observed successful exploitation across numerous customers with earliest observed activity on 2026-05-17.
KEV statusKEV-listed by CISA on 2026-05-29 as *Palo Alto Networks PAN-OS Authentication Bypass Vulnerability*; NVD reflects the KEV addition.
Proof-of-conceptPublic PoC exists. Rapid7 published sfewer-r7/CVE-2026-0257, which forges GlobalProtect auth override cookies from the target's TLS certificate chain.
EPSS0.36344 from the supplied intel block. That is materially high for a perimeter appliance flaw, even before you factor in KEV and observed exploitation.
CVSS reality checkThere is a scoring split: NVD CVSS 3.1 = 9.1/CRITICAL (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), while Palo Alto's advisory currently shows CVSS v4 Threat/Base 7.8 HIGH. The lower vendor v4 score better captures the configuration friction; the higher v3 score better captures the downstream business impact *if* the exposed condition exists.
Exposure prerequisiteThis is not universal PAN-OS exposure. Palo Alto says the firewall must have GlobalProtect portal/gateway configured, authentication override cookies enabled, and a specific certificate configuration. That is the main downward pressure on severity.
Affected versionsAffected trains are PAN-OS 10.2 / 11.1 / 11.2 / 12.1 and Prisma Access 10.2 / 11.2 before the branch-specific fixed builds in the advisory. Panorama and Cloud NGFW are not impacted.
Fixed versionsTop-line safe targets are 12.1.7, 11.2.12, 11.1.15, and 10.2.18-h6, plus Palo Alto's branch hotfix equivalents such as 11.2.10-h7, 11.2.7-h14, 11.2.4-h17, 11.1.13-h5, 11.1.10-h25, 10.2.16-h7, 10.2.13-h21, 10.2.10-h36, and 10.2.7-h34.
Exposure / scanning dataCyCognito says the practical exposure is internet-facing GlobalProtect on TCP/443 and shows cross-sector exposure patterns, with observed assets concentrated in Industrials (25.3%), Communication Services (16.4%), and Energy (11.8%) in its dataset.
Discovery / reportingPalo Alto says the issue was discovered internally. The major public operational reporting came from Rapid7 MDR/Labs, which documented two exploit waves on 2026-05-17 and 2026-05-21.
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to HIGH (8.8/10)

The decisive downward pressure is that exploitation is configuration-dependent, not product-wide: the target must expose GlobalProtect, enable auth override, and have the wrong certificate arrangement. The decisive upward pressure is that this sits on an internet-facing VPN edge, is KEV-listed, and has confirmed in-the-wild abuse that can yield internal network access without credentials.

HIGH Active exploitation and KEV status
MEDIUM Real-world exposed population size
MEDIUM Typical downstream blast radius after VPN admission

Why this verdict

  • KEV + observed exploitation push this up hard: Palo Alto acknowledges exploit attempts, Rapid7 observed successful abuse beginning 2026-05-17, and CISA added it to KEV on 2026-05-29.
  • Config friction pulls it down from CRITICAL to HIGH: an attacker does *not* get value from every PAN-OS device. They need an exposed GlobalProtect portal/gateway, auth override enabled, and the wrong certificate setup. Each prerequisite narrows the reachable population.
  • Impact is unauthorized VPN entry, not instant firewall takeover: this is serious because it crosses the perimeter without credentials, but it is not equivalent to unauthenticated RCE on the appliance or guaranteed admin-plane compromise.
  • Modern controls only partly help: MFA does not save you once the forged cookie is accepted, and WAF/NGFW layers are weak prevention points because the vulnerable service is the VPN edge itself. The realistic defensive stop is configuration hygiene plus log-based detection.
  • Blast radius varies by VPN policy: in segmented environments the session may land in a constrained zone; in flatter estates it becomes a clean post-auth foothold. That variability is another reason to keep it at HIGH instead of automatic CRITICAL.

Why not higher?

I am not calling this CRITICAL because exposure is not universal and exploitation requires a specific feature and certificate condition that many deployments will not have. Also, the bug yields unauthorized VPN access, not guaranteed code execution or firewall administrative control on every successful hit.

Why not lower?

I am not calling this MEDIUM because the attacker is unauthenticated and remote, the service is commonly internet-facing, a public PoC exists, and the bug is already KEV-listed and exploited in the wild. For organizations that do run the exposed configuration, this is a perimeter break, not a nuisance flaw.

05 · Compensating Control

What to do — in priority order.

  1. Disable auth override — Turn off GlobalProtect authentication override cookie generation and acceptance anywhere it is not absolutely required. Because this CVE is KEV-listed / actively exploited, deploy this mitigation immediately, within hours on exposed gateways and portals that cannot be patched first.
  2. Dedicate and rotate the cookie certificate — Generate a certificate used only for authentication override cookies and remove any reuse of portal/gateway HTTPS certificate material. If the certificate was ever shared, treat it as tainted for this use case and replace it immediately, within hours per Palo Alto's guidance.
  3. Restrict portal reachability — Apply temporary IP allowlists, geographic restrictions, or upstream access controls to exposed GlobalProtect portals/gateways where business allows it. For a KEV-listed edge issue, do this immediately, within hours if patching will slip past the current change window.
  4. Hunt cookie-based VPN logins — Review GlobalProtect logs for Cookie authentication events, local admin account logons, default/generic hostnames, spoofed MACs, and source IPs from low-cost hosting providers such as the Rapid7-observed infrastructure. Start this hunt immediately, within hours and keep it running until every exposed device is patched.
  5. Validate every branch-specific fixed build — Do not treat 'some 11.x hotfix' as good enough; Palo Alto published branch-specific fixed versions, and partial upgrades can create cookie compatibility issues. Use authenticated validation and complete this control immediately, within hours for internet-facing systems.
What doesn't work
  • MFA at the normal VPN login screen does not neutralize this bug, because the forged override cookie can bypass the credential prompt altogether.
  • Management-plane ACLs do not solve it by themselves, because exploitation targets the GlobalProtect portal/gateway rather than the web management interface.
  • Endpoint EDR is too late as a primary control; it may catch follow-on activity on endpoints, but it does not prevent the attacker from getting a VPN foothold.
06 · Verification

Crowdsourced verification payload.

Run this from an auditor/admin workstation that can SSH to the PAN-OS CLI; invoke it as ./verify_cve_2026_0257.sh [email protected]. It needs a PAN-OS account with permission to run show commands; no root or debug shell access is required. This is a conservative check: it marks PATCHED only on fixed builds, VULNERABLE on affected builds where auth-override config is visible, and UNKNOWN when config visibility is incomplete or ambiguous.

noisgate-verify.sh
BASHREAD-ONLYSAFE
#!/usr/bin/env bash
# verify_cve_2026_0257.sh
# Conservative exposure check for CVE-2026-0257 on Palo Alto PAN-OS GlobalProtect
# Usage: ./verify_cve_2026_0257.sh [email protected]
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN, 3=USAGE/ERROR

set -euo pipefail

TARGET="${1:-}"
if [[ -z "$TARGET" ]]; then
  echo "UNKNOWN - usage: $0 user@firewall" >&2
  exit 3
fi

ssh_opts=(
  -o BatchMode=yes
  -o StrictHostKeyChecking=accept-new
  -o ConnectTimeout=10
)

run_cli() {
  local cmd="$1"
  ssh "${ssh_opts[@]}" "$TARGET" "$cmd" 2>/dev/null || return 1
}

extract_version() {
  awk -F': ' '/sw-version/ {gsub(/\r/,"",$2); print $2; exit}'
}

# Compare hotfix numbers only inside one maintenance branch.
# Example: base=11.2.10 h=6
parse_ver() {
  local v="$1"
  local base="${v%%-h*}"
  local hotfix=0
  if [[ "$v" =~ -h([0-9]+)$ ]]; then
    hotfix="${BASH_REMATCH[1]}"
  fi
  echo "$base $hotfix"
}

is_patched() {
  local v="$1"
  local base hotfix major minor patch
  read -r base hotfix < <(parse_ver "$v")
  IFS='.' read -r major minor patch <<< "$base"

  if [[ -z "${major:-}" || -z "${minor:-}" || -z "${patch:-}" ]]; then
    return 1
  fi

  case "$major.$minor" in
    12.1)
      if (( patch >= 7 )); then return 0; fi
      if (( patch == 4 && hotfix >= 6 )); then return 0; fi
      return 1
      ;;
    11.2)
      if (( patch >= 12 )); then return 0; fi
      if (( patch == 10 && hotfix >= 7 )); then return 0; fi
      if (( patch == 7 && hotfix >= 14 )); then return 0; fi
      if (( patch == 4 && hotfix >= 17 )); then return 0; fi
      return 1
      ;;
    11.1)
      if (( patch >= 15 )); then return 0; fi
      if (( patch == 13 && hotfix >= 5 )); then return 0; fi
      if (( patch == 10 && hotfix >= 25 )); then return 0; fi
      if (( patch == 7 && hotfix >= 6 )); then return 0; fi
      if (( patch == 6 && hotfix >= 32 )); then return 0; fi
      if (( patch == 4 && hotfix >= 33 )); then return 0; fi
      return 1
      ;;
    10.2)
      # Palo Alto's advisory is branch-specific; plain 10.2.18 is ambiguous in public text.
      if (( patch > 18 )); then return 0; fi
      if (( patch == 18 && hotfix >= 6 )); then return 0; fi
      if (( patch == 16 && hotfix >= 7 )); then return 0; fi
      if (( patch == 13 && hotfix >= 21 )); then return 0; fi
      if (( patch == 10 && hotfix >= 36 )); then return 0; fi
      if (( patch == 7 && hotfix >= 34 )); then return 0; fi
      return 1
      ;;
    *)
      return 1
      ;;
  esac
}

SYSINFO="$(run_cli 'show system info' || true)"
if [[ -z "$SYSINFO" ]]; then
  echo "UNKNOWN - unable to retrieve 'show system info' from $TARGET"
  exit 2
fi

VERSION="$(printf '%s\n' "$SYSINFO" | extract_version || true)"
if [[ -z "$VERSION" ]]; then
  echo "UNKNOWN - unable to parse PAN-OS version from target output"
  exit 2
fi

if is_patched "$VERSION"; then
  echo "PATCHED - PAN-OS version $VERSION is at or above a public fixed build for CVE-2026-0257"
  exit 0
fi

CFG1="$(run_cli 'set cli config-output-format set ; show config running | match authentication-override' || true)"
CFG2="$(run_cli 'set cli config-output-format set ; show config running | match auth-override' || true)"
CFG3="$(run_cli 'set cli config-output-format set ; show config running | match global-protect' || true)"
COMBINED="$CFG1
$CFG2
$CFG3"

# Heuristic only: PAN-OS syntax differs across releases and templates.
if printf '%s\n' "$COMBINED" | grep -Eiq 'authentication-override|auth-override|generate cookie|accept cookie'; then
  echo "VULNERABLE - PAN-OS $VERSION is on an affected train and auth-override-related config is present; verify certificate reuse and patch immediately"
  exit 1
fi

echo "UNKNOWN - PAN-OS $VERSION appears to be on an affected train, but auth-override exposure could not be confirmed from CLI output"
exit 2
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning: pull a list of every internet-facing GlobalProtect portal/gateway, separate them by PAN-OS branch, and treat any vulnerable externally reachable instance as an emergency change. Because this CVE is KEV-listed and actively exploited, override the normal HIGH timing and patch / mitigate immediately, within hours; that is the action to take instead of waiting on the standard noisgate mitigation SLA. If you cannot patch first, disable auth override or isolate the service within hours, then finish branch-correct vendor remediation on all exposed systems as the same campaign priority; the formal noisgate remediation SLA for a HIGH issue is ≤ 180 days, but for this one that outer limit is a paperwork backstop, not an operational target.

Sources

  1. Palo Alto Networks advisory
  2. NVD CVE record
  3. CISA KEV filtered entry
  4. Rapid7 observed exploitation analysis
  5. Rapid7 PoC repository
  6. CyCognito exposure analysis
  7. Help Net Security summary of exploitation
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.