Palo Alto GlobalProtect VPN Auth Bypass: When Your Security Vendor's Cookies Become the Attack Vector

The security appliance designed to protect your corporate network just became the entry point.

Palo Alto Networks confirmed in late May 2026 that attackers are actively exploiting CVE-2026-0257, an authentication bypass vulnerability in PAN-OS GlobalProtect, to establish unauthorized VPN connections to corporate networks. Rapid7's Managed Detection and Response team observed exploitation across numerous customers, with the earliest attacks dating to May 17, just four days after the initial advisory.

The mechanism is elegantly simple: attackers forge authentication override cookies that GlobalProtect gateways accept without proper validation. One forged cookie. No credentials required. Full VPN access to the internal network.

CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on May 29, initially with a remediation deadline of June 1. For organizations still running unpatched GlobalProtect deployments, the clock has already run out.

What Happened

The Vulnerability

CVE-2026-0257 affects the GlobalProtect portal and gateway components of Palo Alto Networks PAN-OS software. The vulnerability exists in a feature called "authentication override," which allows GlobalProtect to issue cookies to authenticated users. These cookies function as bearer tokens: once issued, a user can present the cookie instead of re-authenticating with credentials, similar to a session cookie in a web application.

The flaw lies in how GlobalProtect validates these authentication override cookies. Specifically, when the certificate used to encrypt and decrypt authentication override cookies is not the same certificate used for the GlobalProtect portal or gateway's HTTPS service, the validation becomes insufficient. An attacker can forge cookies that the gateway accepts as legitimate, granting VPN access without ever presenting valid credentials.

Palo Alto Networks originally assigned the vulnerability a CVSSv4 score of 4.7 (Medium severity) because exploitation requires a specific configuration: authentication override cookies must be enabled, and a particular certificate configuration must be present. On May 29, after confirming active exploitation, the company raised the severity to 7.8 (High).

Rapid7 pushed back on even the revised rating, urging organizations to treat the vulnerability as critical. An authentication bypass in an edge-facing enterprise VPN appliance can have significant impact regardless of the preconditions. When the exploit works, the attacker is inside the network perimeter.

The Exploitation Campaign

Rapid7 MDR's timeline tells the story of how quickly the exploitation developed.

On May 13, Palo Alto Networks published the security advisory. On May 17, just four days later, Rapid7 detected the first exploitation attempts. An MDR alert fired on a "Suspicious VPN Authentication" detection: a cookie-based authentication to the local admin account on a GlobalProtect gateway, originating from IP addresses at hosting provider Vultr. The attackers were authenticating as the admin account using forged cookies, and the gateway was accepting them.

On May 21, a second wave of exploitation hit. This wave originated from a different hosting provider, Dromatics Systems, but Rapid7 observed a consistent MAC address across both waves, suggesting the same threat actor using different infrastructure. In this second wave, the exploitation progressed further: attackers successfully established full VPN tunnel connections, with the gateway assigning them internal IP addresses and granting access to the internal network.

Rapid7's analysis of Palo Alto technical support files across impacted customers revealed a consistent pattern. Every compromised device had Cloud Authentication Service (CAS) disabled and authentication override cookies enabled. The attackers were specifically targeting this configuration.

Across multiple customers, 8 out of 10 impacted organizations saw successful cookie authentication probes, but in most cases the appliance accepted the cookie without a full VPN session being established. In the remaining cases, the attackers achieved full VPN connectivity. Rapid7 reported no evidence of successful lateral movement from the compromised devices, but the VPN connection itself provides a foothold that subsequent attacks could exploit.

How the Forged Cookie Attack Works

Rapid7's technical analysis of the PAN-OS GlobalProtect service (gpsvc binary) reveals why the vulnerability exists. When a user authenticates to the GlobalProtect gateway, the gateway examines HTTP form values for portal-userauthcookie or portal-prelogonuserauthcookie. If either value is present, authentication proceeds via AuthWithCookie rather than credential validation.

The authentication override cookie is encrypted and contains the user name, domain name, host ID, client OS, remote address, and timestamp. The gateway decrypts the cookie and extracts these fields. The vulnerability exists because the decryption and validation process fails to properly verify cookie integrity when the certificate configuration meets specific conditions.

In practical terms: the attacker crafts a cookie that claims to authenticate a valid user (in the observed attacks, the local admin account), encrypts it in a way that the gateway will accept, and presents it via a standard authentication request. The gateway decrypts the cookie, extracts the user identity, and grants access without verifying that the cookie was actually issued by a legitimate authentication event.

Why This Matters

Authentication Bypass on Edge Devices Is the Highest-Impact Vulnerability Class

Enterprise VPN gateways sit at the network perimeter. They are specifically designed to be the barrier between the internet and internal corporate systems. When an authentication bypass exists in this barrier, the entire network segmentation model collapses.

GlobalProtect is one of the most widely deployed enterprise VPN solutions. Palo Alto Networks firewalls are deployed across government agencies, financial institutions, healthcare organizations, and enterprises of every size. A vulnerability that allows unauthenticated VPN access to any of these organizations is, by definition, critical, regardless of what CVSS score the vendor initially assigns.

This is the same category of vulnerability that has repeatedly driven the most impactful breaches in recent years. Fortinet FortiGate, Ivanti Connect Secure, Cisco ASA, and now Palo Alto GlobalProtect: edge device authentication bypasses have become the preferred entry vector for both nation-state and criminal threat actors because they provide authenticated network access without triggering the credential-based detections that most security programs rely on.

Cookie-Based Authentication Without Proper Validation Is an Identity Design Flaw

The root cause of CVE-2026-0257 is not a coding error. It is a design weakness in how authentication state is managed across trust boundaries.

Authentication override cookies in GlobalProtect function as bearer tokens. Whoever possesses a valid cookie has authenticated access. The security of the entire system depends on two properties: cookies must be cryptographically bound to the issuing authentication event, and the gateway must validate that binding before accepting the cookie.

When the certificate configuration creates a gap in this validation, the cryptographic binding breaks. The cookie becomes forgeable, and the bearer token model collapses.

When building the CIAM platform that scaled to serve over a billion users, we dealt with this exact class of problem in authentication token design. The lesson was consistent: authentication tokens must be self-validating. The relying party (in this case, the GlobalProtect gateway) must be able to independently verify that the token was issued by a trusted authority, has not been modified, has not expired, and was issued for the presenting party. If any of these verification steps can be bypassed through configuration variations, the token design is structurally weak.

The GlobalProtect authentication override cookie appears to fail on the "independently verify" step when certain certificate configurations are present. The gateway trusts the cookie's claims without adequate validation, exactly the pattern that produces authentication bypass vulnerabilities.

The CVSS Score Mismatch

Palo Alto's initial CVSSv4 score of 4.7 (Medium) for an authentication bypass in a perimeter VPN gateway drew justified criticism from the security community. The score reflected the specific preconditions required for exploitation: authentication override cookies must be enabled, and a specific certificate configuration must exist.

Rapid7 explicitly urged organizations to treat it as critical regardless of the score, noting that the configuration preconditions are common in real-world deployments. The May 29 score revision to 7.8 acknowledged the active exploitation but still understated the operational impact.

This mismatch between CVSS scores and real-world risk is a persistent problem in vulnerability management. CVSS scores assess technical severity in isolation. They do not account for the strategic value of the compromised system, the attacker interest in the vulnerability, or the difficulty of detecting exploitation. An authentication bypass in a VPN gateway that threat actors are actively targeting is a critical operational risk regardless of what the formula produces.

Organizations that use CVSS scores as the sole input to patching priority will consistently underweight edge device authentication bypasses. A better approach is to combine CVSS with asset criticality (is this a perimeter device?), threat intelligence (are attackers targeting this vulnerability?), and exposure assessment (is our configuration vulnerable?).

What Organizations Should Do

Immediate Actions

Patch immediately. Fixed releases are available across multiple PAN-OS branches: 12.1.7, 11.2.12, 11.1.15, 10.2.18-h6, and various branch-specific hotfixes. Prisma Access customers should verify their upgrade status with Palo Alto support. Do not wait for a scheduled maintenance window.

If patching is not immediately possible, mitigate. Disable the authentication override feature entirely. Alternatively, generate a new, unique certificate exclusively for authentication override cookies and do not share it with any other service on the device. This breaks the configuration precondition that makes exploitation possible.

Review GlobalProtect authentication logs. Search for cookie-based (Cookie auth method) authentication events, particularly for the local admin account or any account authenticating from unexpected IP ranges. Pay attention to VPN sessions originating from hosting providers like Vultr and Dromatics Systems, which were observed in the exploitation campaign. Look for sessions with unusual user-agent strings or MAC addresses that do not match known devices.

Check for established VPN tunnels. Look for POST requests to /ssl-vpn/hipreport.esp and /ssl-vpn/getconfig.esp from suspicious sources, which indicate successful VPN tunnel establishment following cookie authentication.

This Month

Audit your GlobalProtect configuration. Verify whether authentication override cookies are enabled in your environment. If they are, confirm the certificate configuration: is the cookie encryption certificate the same as the HTTPS service certificate? If not, your deployment was in the vulnerable configuration.

Implement network segmentation beyond VPN. Even with a valid VPN connection, an attacker should not have unrestricted access to internal systems. Zero trust principles require that access to internal resources be authenticated and authorized independently of the VPN connection. Segment your internal network so that VPN access alone is insufficient to reach critical systems.

Deploy behavioral detection for VPN access. Traditional rule-based detections miss forged cookie attacks because the authentication event looks legitimate in isolation. Behavioral analysis that detects VPN connections from unexpected geographies, at unusual times, from hosting providers rather than corporate or residential ISPs, or with mismatched device fingerprints can identify exploitation even when the authentication event itself appears valid.

This Quarter

Evaluate your edge device patching cadence. The four-day window between advisory and exploitation for CVE-2026-0257 is consistent with the trend toward rapid weaponization. If your patching cadence for perimeter devices is measured in weeks or months, you are operating outside the window that attackers require. Edge devices, VPN gateways, firewalls, and reverse proxies should be on an emergency patching track with a target of 24-72 hours for critical vulnerabilities.

Review your authentication token architecture across all edge devices. CVE-2026-0257 is a specific instance of a general pattern: authentication state stored in bearer tokens that can be forged when cryptographic binding fails. Audit every edge device in your environment for similar token-based authentication mechanisms. Ensure each one validates token integrity independently, does not share cryptographic material across multiple purposes, and logs token usage for anomaly detection.

Reconsider the role of VPN in your access architecture. Enterprise VPNs were designed for a network model where the perimeter was the security boundary. The repeated exploitation of VPN authentication bypasses across Fortinet, Ivanti, Cisco, and now Palo Alto demonstrates that perimeter-based access is a structural liability. Zero trust network access (ZTNA) solutions that authenticate each access request independently, rather than granting broad network access through a single VPN authentication event, reduce the blast radius of any single authentication bypass.

The Bottom Line

CVE-2026-0257 joins a growing list of enterprise VPN authentication bypass vulnerabilities that have been actively exploited against production networks. Fortinet FortiGate, Ivanti Connect Secure, Cisco ASA, and now Palo Alto GlobalProtect: the pattern is unmistakable. Edge device authentication is the most consequential attack surface in enterprise security, and the authentication mechanisms protecting these devices are consistently failing.

The attackers in this campaign did not need credentials. They did not need to phish an employee. They did not need to exploit a zero-day in a user's browser. They forged a cookie, and the VPN gateway let them in. The entire security model collapsed at the authentication layer.

For organizations running GlobalProtect: patch immediately, review your logs, and use this incident as the catalyst to evaluate whether perimeter VPN is still the right architecture for your access model. For every organization: the edge device authentication bypass is the vulnerability class that keeps producing breaches. The vendors know it. The attackers know it. Your patching and detection programs need to reflect that reality.

Key Takeaways

• CVE-2026-0257 is an authentication bypass in Palo Alto GlobalProtect VPN that allows attackers to forge authentication override cookies and establish unauthorized VPN connections without credentials
• Rapid7 MDR confirmed active exploitation across numerous customers starting May 17, 2026, just four days after the advisory was published
• Attackers used forged cookies to authenticate as the local admin account, with some achieving full VPN tunnel establishment and internal network IP assignment
• CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on May 29 with a June 1 remediation deadline
• The vulnerability requires authentication override cookies to be enabled with a specific certificate configuration, but this configuration is common in production environments
• Palo Alto initially rated the flaw as Medium severity (CVSSv4 4.7) before raising it to High (7.8) after confirmed exploitation, with Rapid7 urging organizations to treat it as critical
• Two waves of exploitation were observed from hosting providers Vultr and Dromatics Systems, likely from the same threat actor using different infrastructure
• In 8 out of 10 impacted Rapid7 MDR customers, the cookie was accepted but a full VPN session was not established; in the remaining cases, full VPN connectivity was achieved
• The root cause is insufficient cookie validation when the encryption certificate differs from the HTTPS service certificate, creating a forgeable bearer token
• Enterprise VPN authentication bypass remains the highest-impact vulnerability class, with Fortinet, Ivanti, Cisco, and now Palo Alto all experiencing active exploitation of similar flaws

FAQ

What is the Palo Alto GlobalProtect CVE-2026-0257 vulnerability?
CVE-2026-0257 is an authentication bypass vulnerability in Palo Alto Networks PAN-OS GlobalProtect VPN that allows unauthenticated attackers to establish unauthorized VPN connections by forging authentication override cookies. It affects devices configured with authentication override cookies enabled and a specific certificate configuration.

Is CVE-2026-0257 being actively exploited?
Yes. Rapid7 MDR confirmed active exploitation across numerous customers starting May 17, 2026, four days after the advisory was published. CISA added it to the Known Exploited Vulnerabilities catalog on May 29. Attackers used forged cookies to authenticate as the local admin account from hosting provider infrastructure.

How do attackers exploit the GlobalProtect VPN bypass?
Attackers forge authentication override cookies that the GlobalProtect gateway accepts without proper validation. When the certificate used to encrypt cookies differs from the HTTPS service certificate, the validation becomes insufficient. The attacker presents a forged cookie via a standard authentication request, and the gateway grants VPN access without verifying the cookie was issued during a legitimate authentication event.

How do I mitigate CVE-2026-0257 if I can't patch immediately?
Disable the authentication override feature entirely, or generate a new certificate exclusively for authentication override cookies that is not shared with any other service on the device. This breaks the configuration precondition required for exploitation. Review GlobalProtect logs for cookie-based authentication from unexpected sources.

What PAN-OS versions fix CVE-2026-0257?
Fixed releases include PAN-OS 12.1.7, 11.2.12, 11.1.15, 10.2.18-h6, and various branch-specific hotfixes. Prisma Access customers should verify their upgrade status with Palo Alto support. Organizations should patch immediately rather than waiting for scheduled maintenance windows.