HIGH: Palo Alto Networks GlobalProtect Authentication Bypass Under Active Exploitation

If you have a Palo Alto Networks firewall facing the internet with GlobalProtect turned on, the rest of your task list can wait. CVE-2026-0257, an authentication bypass in the GlobalProtect portal and gateway components of PAN-OS, is being actively exploited in the wild. Rapid7's managed detection and response team has been watching successful intrusions against customer environments since May 17, and CISA dropped the bug into its Known Exploited Vulnerabilities catalog this week with a June 19, 2026 remediation deadline for federal civilian agencies. The clock is loud and ticking.

This is the second authentication bypass to surface in GlobalProtect in the last eighteen months, which says something about the difficulty of getting cryptographic cookie handling right in a product whose entire purpose is to sit on the perimeter and answer the door for remote employees. Palo Alto published the original advisory on May 13, 2026, then quietly updated it on May 29 to acknowledge what researchers were already shouting from the rooftops. Attackers had moved from theory to practice and were busy forging their way into unpatched appliances.

The technical guts

CVE-2026-0257 carries a CVSS v4.0 score of 7.8 in the High band, which is the kind of number that looks deceptively manageable until you read the vector and notice the attack is unauthenticated, network reachable, and requires no user interaction. The root cause sits in how GlobalProtect generates and validates authentication override cookies, those convenient little blobs that let users skip the full login dance for a short window. The cookies are encrypted and decrypted using a certificate, and herein lies the gunpowder. If an administrator has configured the same certificate for the authentication override feature and for another GlobalProtect function, such as the public HTTPS service of the portal or gateway, the public key for that certificate is no longer secret. Anyone with a web browser can pull it.

Once an attacker has the public key, the math collapses. The cookie design assumed the key would remain private, and with it exposed the attacker can forge whatever authentication override cookie they like. From there they walk past the front door of the VPN as a legitimate user, no credentials required, no MFA prompt, and no anomaly worth flagging in most stock dashboards. The flaw is, in classic fashion, a configuration footgun layered on top of a cryptographic assumption that turns out to be wishful.

The list of affected releases is long enough to be a chore. Anything in the 12.1 line before 12.1.4-h6 or 12.1.7 is vulnerable, as are versions of 11.2 below 11.2.4-h17, 11.2.7-h14, 11.2.10-h7, or 11.2.12 depending on the branch in use. The 11.1 train carries the bug in everything below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, or 11.1.15. The 10.2 line, which is still running in plenty of production environments because organizations have not yet absorbed the cost of jumping major versions, is unfixed below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6. Cloud NGFW customers and anyone whose management plane sits on Panorama can pour themselves a coffee, as those products are not affected. Everyone else should treat the version matrix like a flight manifest and make sure their device is on a plane that has actually landed.

What exploitation looks like

Rapid7 published its observations on May 29, and the picture is unpleasantly clear. The earliest confirmed exploitation against customer environments traces back to May 17, four days after Palo Alto's advisory hit the wire. That tracks with the historical pattern around perimeter appliances, where the gap between public disclosure and weaponization keeps compressing.

Rapid7 identified two distinct waves. The first, beginning May 18, used forged cookies to authenticate against local admin accounts on the firewalls. Think of it as reconnaissance and a foothold rather than an immediate breakout. The second wave, kicking off around May 21, took the next logical step. Attackers used the forged cookie path to obtain a VPN IP address from the gateway, dropping themselves directly onto the internal corporate network as if they were a sanctioned remote worker.

The infrastructure tells a story too. Both waves originated from low-cost hosting providers, with the first wave routed through Vultr and the second through Dromatics Systems. The source addresses worth feeding into your detection stack today include 104.207.144.154, 146.19.216.119, 146.19.216.120, and 146.19.216.125. Machine names of GP-CLIENT, showing up on Linux authentications from May 17 onward, and DESKTOP-GP01, appearing on Windows authentications from May 21, recur across the dataset alongside a beautifully obvious spoofed MAC address of aa:bb:cc:dd:ee:ff that should set off any half decent SIEM rule the first time it crosses the wire. The consistency across both waves, particularly the reused fake MAC, suggests a single actor or closely linked group rather than a swarm of opportunists.

The good news, if you can call it that, is that Rapid7 did not observe successful lateral movement out of the exploited devices in their detection set. The bad news is that absence of evidence is not the same as evidence of absence, and a VPN tunneled foothold inside the perimeter is precisely the place where a patient attacker would wait quietly while logs roll off retention.

What to do, today

Patching is the only durable fix. Palo Alto has shipped fixed builds across every supported branch, and customers running PAN-OS should move to the appropriate patched version listed above based on their current train. There is one noteworthy operational wrinkle. After upgrading, users must re-authenticate even if they hold a valid cookie, because the cookie generation method changes as part of the fix. Plan accordingly so your help desk does not get a wave of confused remote workers on Monday morning.

For organizations that absolutely cannot apply the update in the next few hours, there are two mitigations of varying flavor. The first is to disable authentication override options in the GlobalProtect portal and gateway configuration outright, which neutralizes the attack surface at the cost of a small amount of user convenience. The second is to give the authentication override feature a dedicated certificate that is not reused anywhere else in the configuration, which breaks the public key disclosure path that makes the forgery possible. Both options are documented in the advisory and both should be considered stopgaps rather than permanent positions.

On the detection side, hunt for the IP addresses and machine names noted above in your authentication logs going back to at least May 13, the day of the original disclosure. The spoofed MAC is a freebie. Any inbound GlobalProtect authentication that ties to one of those source addresses should be treated as a confirmed compromise pending full investigation, not as a noisy alert to triage later in the week. Consider pulling the configuration of every internet facing firewall in your estate and grepping for shared certificate usage across HTTPS service and authentication override, because if you have that pattern in place you are by definition vulnerable.

The MSP angle

This is the kind of week where managed service providers earn their margin. Any client with a Palo Alto firewall sitting on the internet needs a patch window scheduled before sundown, and the conversation around emergency patching is also the right moment to revisit perimeter posture more broadly. There is a real upsell here for managed firewall services, continuous vulnerability management, and external attack surface monitoring that flags unpatched appliances before CISA does it for you. Clients who balked at darkweb monitoring or 24x7 SOC coverage last quarter are about to be much more receptive, and the right framing is not fear but math. The cost of a single forged cookie compromise dwarfs the annual price of doing perimeter management properly, and that conversation lands harder this week than it will in two months when the news cycle has moved on.