Executive Summary

Palo Alto Networks has disclosed a vulnerability in its PAN-OS and Prisma Access GlobalProtect portals and gateways, tracked as CVE-2026-0257. While assigned a Medium severity CVSS score of 7.8, security researchers at Rapid7 are urging organizations to treat this as a critical vulnerability due to its edge-facing impact. The flaw allows remote, unauthenticated attackers to bypass security restrictions and establish an unauthorized VPN connection. The vulnerability is currently under active exploitation in the wild and has been added to the CISA Known Exploited Vulnerabilities (KEV) list. All organizations utilizing affected Palo Alto Networks devices must assess their exposure and apply mitigations immediately.

Key Findings

Threat Actor and Campaign

Rapid7 identified successful exploitation across multiple customers, with two distinct waves of attack. The first wave, originating from the hosting provider Vultr on May 17, 2026, targeted Linux environments and utilized the hostname GP-CLIENT. While authentication probes were accepted, a full VPN session was not established in most cases. The second wave, originating from Dromatics Systems on May 21, 2026, targeted Windows environments using the hostname DESKTOP-GP01. This wave successfully resulted in VPN IP assignment, granting the attacker internal network access. Both waves utilized the exact same spoofed MAC address (aa:bb:cc:dd:ee:ff), strongly indicating a single threat actor is behind the campaign.

Initial Access Vector

The adversary gains initial access by exploiting a fatal configuration overlap on the GlobalProtect gateway. To be vulnerable, the device must have the "Authentication Override" feature enabled—a non-default feature that issues a cookie allowing authenticated users to skip future credential checks. Crucially, the vulnerability only exists if the certificate used to encrypt and decrypt this authentication override cookie is reused and shared with the public-facing GlobalProtect HTTPS service.

The Cryptographic "Blind Trust" Flaw Analysis

The underlying vulnerability stems from a lack of signature validation in the /usr/local/bin/gpsvc binary. When an attacker sends an HTTP POST request to /ssl-vpn/login.esp containing a portal-userauthcookie, the system base64 decodes the cookie and decrypts it using the private key. However, the system completely fails to check signatures for authenticity.

Because the certificate is improperly shared with the public HTTPS service, an attacker can simply harvest the reused public key from the gateway. The attacker then forges an authentication override cookie filled with arbitrary user data (such as local admin credentials) and encrypts it using the harvested key. When fed back to the gateway, the system decrypts the forged cookie and implicitly trusts it, granting full unauthorized access.

Detection and IOCs

Host-Based and Network Indicators

Network defenders should monitor GlobalProtect authentication logs for suspicious cookie authentication to local admin accounts. The presence of the following indicators may signify compromise:

• Spoofed MAC Address: aa:bb:cc:dd:ee:ff
• Hostnames Observed: DESKTOP-GP01 (Windows), GP-CLIENT (Linux)
• Threat Actor Source IPs:
• 104.207.144.154
• 146.19.216.119
• 146.19.216.120
• 146.19.216.125

Signature-Based Detection

For Exposure Command, InsightVM, and Nexpose users, an authenticated check has been available since May 15 to assess vulnerability exposure. Additionally, Rapid7 has developed a public Proof of Concept (PoC) validation script that iterates through an appliance's HTTPS certificate chain, attempting to authenticate by forging a cookie with each public key.

Mitigation and Response

Immediate Actions

Organizations must apply the following remediation steps on an urgent basis:

Apply Updates: Upgrade to a secure, vendor-supplied patch version (e.g., PAN-OS 12.1.4-h6 or later, 11.2.4-h17 or later, 11.1.4-h33 or later).

The Nuclear Option (Configuration Mitigation): If patching is delayed, immediately disable the 'Authentication Override' feature entirely in the GlobalProtect portal and gateway. This breaks the exploit vector, though users will need to re-authenticate manually.

The Cryptographic Fix (Configuration Mitigation): Alternatively, generate a brand new, dedicated certificate to be used exclusively for the authentication override feature, ensuring the attacker can no longer harvest the public key via HTTPS.

Strategic Guidance

Edge-facing VPN vulnerabilities represent the "death of the perimeter" and effectively collapse the human response window, as attackers bypass initial intrusion alarms. Organizations are strongly advised to assess exposure via authenticated checks, monitor environments for signs of post-exploitation internal movement, and treat this incident with the highest priority.