PAN-OS GlobalProtect Authentication Bypass via Forged Override Cookies — CVE-2026-0257 (Active Exploitation)

Indicators

• GlobalProtect authentication log entries showing successful 'Cookie' login method to privileged accounts (e.g., 'admin') from unexpected external IP addresses
• SIEM/MDR alert: 'Suspicious VPN Authentication - Local Account Logon via Generic Non-Human Identity'
• GlobalProtect auth log entries with auth method 'Cookie', action 'login', result 'success', originating from known hosting provider IP ranges: Vultr 104.207.144.154 (first wave ~May 18 2026) or Dromatics Systems 146.19.216.125 (second wave ~May 21 2026)
• Log field GLOBALPROTECT with subtype 'gateway-auth' and method 'Cookie' correlating with 0x8000000000000000 flag in second-wave logs
• Consistent MAC address pattern 'aa:bb:cc:dd:ee:ff' appearing across multiple cookie-based login events, linking exploitation attempts to a single threat actor
• Client OS reported as Linux 'linux-64' (first wave) or Windows 'Microsoft Windows 10 Pro, 64-bit' (second wave) in forged cookie metadata — inconsistent with known corporate endpoints
• Auth latency values of 78ms (first wave) and 1019ms (second wave) for cookie-based logins
• VPN IP assignment recorded in session logs following suspicious cookie-based authentication, indicating internal network access was granted
• GlobalProtect auth logs showing profile 'local_auth_profile' or 'SAML-o365-GP' with cookie-based logins from non-corporate endpoints

Likely causes

• Authentication override cookie feature is enabled on GlobalProtect portal/gateway, allowing the appliance to issue and accept cookies that bypass full credential authentication — attacker forges these cookies to authenticate without valid credentials
• Cloud Authentication Service (CAS) is disabled, removing the additional validation layer that would otherwise detect or reject forged cookies
• No cryptographic integrity enforcement or IP binding on authentication override cookies, allowing tokens to be forged or replayed from attacker-controlled infrastructure without detection
• GlobalProtect gateway/portal is internet-facing with no network-layer controls preventing unauthenticated cookie submission from arbitrary public IPs

Diagnostic steps

1. Collect a PAN-OS tech support file from the affected appliance before making any changes. In PAN-OS GUI: Device > Support > Generate Tech Support File. Review the extracted configuration for GlobalProtect portal/gateway settings: confirm whether 'authentication override cookie' is enabled AND whether Cloud Authentication Service (CAS) is disabled. Both conditions must be true for the vulnerable configuration to be present.
   Establish whether the vulnerable configuration exists on this appliance, and preserve forensic state before remediation alters it.
2. Review GlobalProtect authentication logs (log type: GLOBALPROTECT, subtype: gateway-auth) for all portals and gateways. Filter for entries where auth method = 'Cookie' AND result = 'success' AND source IP is not a known corporate endpoint. Pay particular attention to logins to privileged local accounts (e.g., 'admin'). Export all matching entries with timestamps for forensic documentation.
   Determine whether exploitation has already occurred and establish the earliest date of compromise.
3. Within the filtered Cookie-based success log entries, search specifically for source IPs 104.207.144.154 (Vultr, first exploitation wave ~May 18 2026) and 146.19.216.125 (Dromatics Systems, second exploitation wave ~May 21 2026). Also search for the consistent MAC address pattern 'aa:bb:cc:dd:ee:ff' and client OS strings 'linux-64' or 'Microsoft Windows 10 Pro, 64-bit' appearing in cookie-based logins. Note auth latency values: 78ms indicates first wave; 1019ms indicates second wave.
   Attribute exploitation to the known threat actor infrastructure documented by Rapid7 MDR and identify all affected time windows.
4. For each suspicious cookie-based authentication event identified, check whether a VPN IP address was subsequently assigned to that session (review DHCP/IP assignment logs and GlobalProtect session tables). For any session where a VPN IP was assigned, extract the assigned IP address and the full session timeframe for use in Step 5.
   Determine whether the attacker progressed from authentication bypass to full internal network access — VPN IP assignment was confirmed in a subset of exploited customer environments.
5. For any VPN IP addresses assigned during suspicious cookie-based sessions, review internal network logs for lateral movement activity originating from those IPs during the session window. Check: authentication events against internal systems, SMB/file access logs, DNS queries, and network connections to sensitive segments (domain controllers, file servers, databases). Scope lateral movement review to the full exploitation window (May 17 2026 onward).
   Determine if post-exploitation lateral movement occurred. Rapid7 MDR did not observe lateral movement in their customer base, but this must be independently verified per environment.
6. Cross-reference all identified cookie-based exploitation log entries for consistent MAC address values and client hostnames (e.g., 'GP-CLIENT', 'DESKTOP-GP01') appearing across multiple time windows. Group events by MAC address to link exploitation waves from different source IPs to the same threat actor. Document all account names authenticated against via forged cookies — these accounts require credential resets regardless of whether lateral movement is confirmed.
   Complete threat actor attribution, identify all compromised accounts, and confirm the scope of the exploitation window for incident documentation and mandatory reporting.

Resolution path

• IMMEDIATE — Apply vendor-supplied PAN-OS patch: Upgrade all affected PAN-OS and Prisma Access appliances to the patched version published by Palo Alto Networks for CVE-2026-0257 (check security.paloaltonetworks.com). Treat as urgent/critical priority regardless of the assigned medium CVSSv4 score — CISA KEV listing and confirmed active exploitation override vendor severity rating.
• INTERIM MITIGATION (if patching cannot begin immediately) — Disable authentication override cookies on all GlobalProtect portals and gateways: In PAN-OS GUI, navigate to Network > GlobalProtect > Portals > [portal] > Agent > Authentication and disable 'Generate cookie for authentication override'. Repeat for all configured gateways under Network > GlobalProtect > Gateways. Commit the configuration change. This eliminates the attack surface while the patch is staged.
• INTERIM MITIGATION — Enable Cloud Authentication Service (CAS) if it was previously disabled: Re-enabling CAS adds the additional authentication validation layer absent in the vulnerable configuration. Navigate to Device > Setup > Management > Cloud Services and enable CAS. Verify user authentication flows are not disrupted before committing.
• POST-PATCH — Revoke all VPN sessions established via Cookie authentication during the exploitation window (May 17 2026 onward): Terminate active GlobalProtect sessions for any account that successfully authenticated via Cookie method from unexpected IPs. Force re-authentication for all active GlobalProtect sessions.
• POST-PATCH — Reset credentials for all accounts (especially the local 'admin' account and any other accounts appearing in suspicious cookie-based login events) that were successfully authenticated against via forged cookies during the exploitation window. Session integrity cannot be guaranteed for these accounts.
• COMPLIANCE — If subject to BOD 22-01: CVE-2026-0257 was added to the CISA KEV catalog on May 29 2026, triggering mandatory remediation timelines for federal agencies. Document remediation completion date and confirm it falls within the required timeframe per organizational policy.

Prevention

• Disable GlobalProtect authentication override cookies unless strictly required by operational need. If cookies must be enabled, ensure Cloud Authentication Service (CAS) is also enabled — this combination removes the vulnerable configuration that CVE-2026-0257 depends on.
• Implement SIEM/MDR alerting on GlobalProtect authentication log events where auth method = 'Cookie' AND the authenticated account is a privileged local account (e.g., admin) — treat these as P1 anomalies requiring immediate investigation, not routine events.
• Restrict GlobalProtect gateway and portal access at the network perimeter to known corporate IP ranges or implement geo-blocking where operationally feasible, reducing the attack surface against commodity hosting provider exploitation (Vultr, Dromatics Systems blocks, and similar ranges).
• Establish a patch SLA that treats authentication bypass vulnerabilities in internet-facing VPN appliances as P1/critical regardless of vendor-assigned CVSSv4 score — apply vendor patches within 24–72 hours of release. CISA KEV listing alone should trigger immediate action independent of internal severity assessment.
• Regularly audit PAN-OS GlobalProtect configurations to confirm CAS is enabled and authentication override cookie settings align with least-privilege principles — include this check in quarterly security configuration reviews.
• Monitor for inbound connections from known malicious hosting provider IP ranges at the perimeter firewall level (including Vultr and Dromatics Systems ASN blocks), and alert on successful GlobalProtect authentications originating from datacenter/hosting provider IP space.

Tools

• PAN-OS tech support file — forensic configuration and log collection from affected appliances (Device > Support > Generate Tech Support File)
• GlobalProtect Authentication Log — primary log source for detecting exploitation (log type: GLOBALPROTECT, subtype: gateway-auth, filter on method=Cookie, result=success)
• Rapid7 MDR — detected exploitation via 'Suspicious VPN Authentication - Local Account Logon via Generic Non-Human Identity' alert; source of threat actor IP and MAC indicators
• CISA KEV catalog — tracks mandatory remediation for CVE-2026-0257 (added May 29 2026); reference for BOD 22-01 compliance timelines

References

• Rapid7 ETR: Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass (CVE-2026-0257)
• Palo Alto Networks Security Advisory for CVE-2026-0257
• CISA Known Exploited Vulnerabilities Catalog — CVE-2026-0257