HIGH: Palo Alto GlobalProtect Auth Bypass (CVE-2026-0257) Actively Exploited, Now on CISA KEV

Pour one out for the trust we placed in GlobalProtect cookies. They had a job, and now everyone knows they were doing it badly.

If you run Palo Alto Networks PAN-OS firewalls and your GlobalProtect portal still hands out authentication override cookies signed by a shared certificate, you have already been on the clock for almost two weeks. CVE-2026-0257 is now actively exploited, sitting on the CISA Known Exploited Vulnerabilities catalog with a federal patch deadline of June 1, and Rapid7 has watched real attackers forge their way into customer environments across two distinct waves of activity. The bug carries a CVSS 4.0 score of 7.8, which is a high but not critical rating, and the catch is that the CVSS math does not reflect what attackers actually get when they pull this trigger, which is unauthenticated VPN access to whatever sits behind the firewall.

The technical story here is a particularly clean example of why you should never reuse cryptographic material across functions. PAN-OS GlobalProtect supports an authentication override feature where the portal or gateway issues a session cookie after a user authenticates, then accepts that cookie on subsequent connections so the user does not have to type the password again. The cookie is encrypted, which sounds reasonable on a quick read, but the implementation living in the /usr/local/bin/gpsvc binary never bothers to verify a signature after decryption. Worse, in the affected configurations the certificate used to encrypt and decrypt that cookie is the same certificate the device hands out to anyone who connects to its HTTPS service. In other words, the public half of the key is being broadcast to the internet by design, and the cookie format trusts whatever decrypts cleanly. Pair those two things and an unauthenticated attacker can pull the cert chain off the portal, mint a cookie that says whatever they want, and walk in. MITRE classifies the underlying weakness as CWE-565, "Reliance on Cookies without Validation and Integrity Checking," which feels almost too on the nose.

Palo Alto Networks published its initial advisory on May 13. By May 17, Rapid7 MDR was responding to the first wave of in-the-wild exploitation across multiple customers, with telemetry showing Linux clients calling themselves GP-CLIENT and pulling fresh authentication sessions from devices that had not yet been patched. A second wave landed on May 21, this time with Windows clients masquerading as DESKTOP-GP01. Both waves shared a tell that should make any SOC analyst smile, a spoofed MAC address of aa:bb:cc:dd:ee:ff that the attacker apparently could not be bothered to randomize. Rapid7 attributes both rounds to the same operator and names the source addresses 104.207.144.154 out of Vultr along with 146.19.216.119 through 146.19.216.125 from Dromatics Systems. None of those should be in your firewall logs talking to a GlobalProtect gateway. If they are, today is the day you change that.

Rapid7 also noted that the operator did not, for the most part, follow up the auth bypass with lateral movement. In the first wave the attackers seemed content to demonstrate they could authenticate. In the second wave, however, a subset of victims actually saw the attackers assigned internal VPN IPs, which is the moment GlobalProtect stops being a perimeter device and starts being a wide open door into the data center. The fact that lateral movement was inconsistent suggests the operator was triaging access rather than running a smash and grab, which is exactly the playbook ransomware affiliates and initial access brokers have run for years. Today's quiet authentication is tomorrow's access listing on a Russian forum.

On May 29, CISA added CVE-2026-0257 to the Known Exploited Vulnerabilities catalog with a remediation deadline of June 1 for federal civilian agencies. That is a four day window, which is CISA's polite way of saying everyone should already be done. Palo Alto Networks itself updated the advisory the same day to confirm that the exploit attempts it had been observing constituted active exploitation rather than research scanning. There is also a public proof of concept available from Rapid7 Labs that retrieves all certificates in the chain for the HTTPS service of either a GlobalProtect portal or gateway, which is the prerequisite step for the exploit. Once a PoC is on GitHub and CISA is naming dates, the half life of unpatched devices drops fast.

The fix list is long enough that you need to know which branch you are on before you start. On the PAN-OS 12.1 track, upgrade to 12.1.4-h6 or 12.1.7. On 11.2, look at 11.2.4-h17, 11.2.7-h14, 11.2.10-h7, or 11.2.12 depending on your current sub-version. On 11.1, the targets are 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, or 11.1.15. The 10.2 branch needs 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, or 10.2.18-h6. Panorama and Cloud NGFW are not affected. A small mercy, but a mercy nonetheless. After upgrading, expect existing GlobalProtect sessions to drop and users to re-authenticate, which is annoying for help desk Monday morning but a great deal cheaper than the alternative.

If you cannot patch in the window, the mitigations are straightforward. Disable the "Generate cookie for authentication override" and "Accept cookie for authentication override" options in both the portal and gateway configurations. That kills the feature the bug lives in. If your business absolutely cannot live without authentication override cookies, the other approved workaround is to generate a dedicated certificate used only for that cookie encryption and decryption purpose, so that the public certificate served over HTTPS is no longer the certificate an attacker can use to forge cookies. Either path closes the door, although disabling the feature outright is the cleaner option for the few days it takes to schedule a real upgrade window.

Detection is where defenders have a real shot at catching this even on devices that have not yet been patched. Hunt for GlobalProtect authentication events that originate from VPS providers like Vultr or hosts in unfamiliar autonomous systems. Look for client hostnames of GP-CLIENT and DESKTOP-GP01, both of which appeared in Rapid7's incident data. Block or alert on the Rapid7 published source addresses and any new VPN sessions presenting the MAC address aa:bb:cc:dd:ee:ff, which is the sort of placeholder string a competent operator would never leave in production. Pull GlobalProtect portal logs for unexpected successful authentications without a corresponding password event, since the cookie path bypasses the credential prompt entirely. None of these by themselves are airtight, but layered together they give you a defensible chance at catching forged session activity before it turns into something worse.

Step back from the technical details for a second and the strategic picture is uglier than it looks. Authentication bypass bugs in remote access products have driven a meaningful chunk of the ransomware ecosystem for years, with Fortinet, Ivanti, Citrix, and now Palo Alto Networks all taking turns in the rotation. Initial access brokers love these issues because a VPN concentrator with a usable bypass is, by definition, a route into the corporate network that ignores everything you spent the last decade building. Every quarter another vendor's flagship edge device is the one with the dumb cookie problem. The lesson, if there is one beyond patch quickly, is that the perimeter is still the perimeter no matter what we tell ourselves about zero trust, and the hosts that terminate VPN connections deserve the same paranoid configuration discipline you reserve for domain controllers.

For MSPs, this is a clean story to take to clients. Anyone running PAN-OS at the edge needs an emergency patch validation today, and clients without around the clock monitoring need to understand that two weeks of active exploitation has already happened, with PoC code and named IPs sitting in public view. There is a real sales conversation here around managed firewall services, edge device patch SLAs, and MDR coverage that actually reads GlobalProtect authentication logs rather than just collecting them. A short customer facing brief on CVE-2026-0257, paired with a list of clients you have already patched and a list you are recommending priority service for, is the kind of message that wins renewals and grows wallet share.