CVE-2026-0257: Palo Alto PAN-OS GlobalProtect Authentication Bypass — How to Find Exposed Firewalls on Your Network
An authentication bypass in Palo Alto Networks PAN-OS GlobalProtect lets unauthenticated attackers establish VPN connections without valid credentials. Actively exploited since May 17, added to the CISA KEV catalog on May 29 with a June 1 remediation deadline. Here's how to identify exposed GlobalProtect instances on your network.
The Vulnerability
CVE-2026-0257 (CWE-565) is an authentication bypass in the GlobalProtect portal and gateway components of PAN-OS. The vulnerability stems from a cookie integrity and validation weakness in the authentication override cookie mechanism. When GlobalProtect is configured with authentication override cookies and a specific certificate configuration, an attacker can bypass authentication entirely — establishing a VPN session without valid credentials and without triggering MFA prompts.
- CVSS: 9.1 Critical (NVD v3.1) · 7.8 High (Palo Alto v4.0) — Palo Alto Advisory
- CWE: CWE-565 (Reliance on Cookies without Validation and Integrity Checking)
- AFFECTED: PAN-OS 12.1 (< 12.1.4-h6), 11.2 (< 11.2.4-h17), 11.1 (< 11.1.4-h33), 10.2 (< 10.2.7-h34) + Prisma Access — see advisory for full version matrix
- EXPLOITED: May 17, 2026 — confirmed by Rapid7 MDR across numerous customers
- CISA KEV: Added May 29, 2026 · Remediation deadline: June 1, 2026
- STATUS: Palo Alto Networks advisory marked ATTACKED
The attack is pre-authentication, requires no user interaction, and targets the authentication override cookie mechanism in GlobalProtect. When authentication override cookies are enabled with a shared or non-dedicated certificate, an attacker can forge cookies that the gateway accepts as valid — granting full VPN access to the internal network.
Palo Alto Networks has confirmed limited exploitation attempts. Rapid7 MDR reported observing two exploitation waves (May 17 and May 21) across customer environments, both appearing to originate from the same threat actor based on consistent MAC addresses. No lateral movement was observed in their telemetry, but unauthorized VPN access to an internal network is a severe breach regardless.
Related: CVE-2026-0265
Published the same day, CVE-2026-0265 is a separate JWT signature bypass in PAN-OS Cloud Authentication Service (CVSS 7.2). It allows forging JWTs to authenticate as any trusted user — affecting both GlobalProtect VPN sessions and management interface admin access. Note: BishopFox's detection tool targets CVE-2026-0265 specifically, not CVE-2026-0257.
Exposure Preconditions
Not every exposed GlobalProtect instance is vulnerable. This CVE requires two conditions: (1) authentication override cookies must be enabled, and (2) the cookie certificate must be shared or non-dedicated. Default PAN-OS configurations do not enable authentication override cookies. However, it is a common enterprise configuration — particularly for SSO and certificate-based authentication deployments. If you find GlobalProtect instances, you need to verify the cookie configuration before determining actual risk.
Investigation Workflow
GlobalProtect is one of the most widely deployed enterprise VPN solutions. If your organization runs Palo Alto firewalls, you likely have GlobalProtect portals or gateways exposed. Here's how to find and assess them using RECON.
1. Port Scan: Find GlobalProtect Portals and Gateways
GlobalProtect portals and gateways typically listen on port 443 (HTTPS). Some deployments use alternate ports like 4443 or 10443. The management interface (a separate concern for CVE-2026-0265) uses port 4443 by default. Scan your perimeter subnets for these ports.
2. TLS Inspect: Identify Palo Alto Certificates
Pull TLS certificates on open HTTPS ports. Palo Alto firewalls often present certificates with identifiable patterns:
- • Subject or SAN containing GlobalProtect, gp.yourcompany.com, or vpn.yourcompany.com
- • Organization field showing your company name with a Palo Alto-generated certificate
- • Self-signed certificates on management interfaces — common in default deployments
Pay special attention to the authentication override cookie certificate configuration — this CVE specifically requires authentication override cookies to be enabled with a shared certificate. If you find a GlobalProtect instance, check whether it uses a dedicated certificate for this purpose.
3. HTTP Headers: Fingerprint GlobalProtect
GlobalProtect portals return distinctive response patterns. Look for:
- • Redirect to /global-protect/login.esp — the GlobalProtect portal login page
- • HTML title containing GlobalProtect Portal
- • Response headers with PanOS or Palo Alto-specific markers
- • The presence of /global-protect/getconfig.esp endpoint
4. DNS: Discover All GlobalProtect Endpoints
Query internal and external DNS for common GlobalProtect naming patterns: gp.*, vpn.*, globalprotect.*, remote.*, fw-*. Reverse DNS on your perimeter IP ranges can surface instances outside your asset inventory — especially branch office or regional firewalls that may have been deployed with GlobalProtect enabled but forgotten.
Cross-Reference with External Data
- SHODAN: Search http.title:"GlobalProtect Portal" or ssl:"GlobalProtect"
- CENSYS: Query for TLS certificates with subject containing "GlobalProtect"
- CISA KEV: Verify CVE-2026-0257 entry and remediation deadline
Detection: Signs of Compromise
Check for these indicators in your PAN-OS logs. Note: cookie-based authentication is legitimate in properly configured environments — correlation with other anomalies matters more than any single indicator.
- • VPN sessions without authentication events — the key indicator. A GlobalProtect session exists but no preceding authentication log entry
- • Unfamiliar source IPs or geolocations connecting to GlobalProtect gateways
- • Anomalous user-agent strings or client identifiers in GlobalProtect portal logs
- • Short-lived or repeated connections that bypass MFA prompts
Remediation
CISA added this to the Known Exploited Vulnerabilities catalog on May 29, 2026 with a remediation deadline of June 1. Federal agencies are bound by this timeline; all organizations should treat active exploitation as grounds for emergency patching.
- Patch immediately. Upgrade to the fixed PAN-OS version for your branch: 12.1.4-h6+, 11.2.4-h17+, 11.1.4-h33+, or 10.2.7-h34+. After patching, all users must re-authenticate once as cookies are regenerated.
- If patching isn't immediate: Generate a dedicated certificate exclusively for authentication override cookies. Do not reuse certificates — the shared certificate configuration is what enables the attack.
- Alternative mitigation: Disable authentication override cookies entirely in GlobalProtect configuration (Network > GlobalProtect > Portals/Gateways > Authentication).
- Audit for compromise. Review GlobalProtect authentication logs for VPN sessions without corresponding authentication events. Check for connections from unexpected IPs or geolocations.
- Also patch CVE-2026-0265. The related JWT bypass was published the same day and affects the same PAN-OS versions. Fixed in the same update branches.
- Prisma Access customers: Upgrade to 11.2.7-h13 or 10.2.10-h36. Cloud NGFW and Panorama are not affected.
Every tool used in this investigation — port scan, TLS inspect, HTTP headers, DNS, CVE lookup — runs from your phone in RECON. Get it on the App Store.
Follow @reconnetops for new CVE investigations.
Sources
- → Palo Alto Networks Advisory: CVE-2026-0257
- → NVD: CVE-2026-0257
- → Rapid7 MDR: Observed Exploitation of CVE-2026-0257
- → Palo Alto Networks Advisory: CVE-2026-0265 (Related JWT Bypass)
- → BishopFox: CVE-2026-0265 Detection Tool
- → CISA KEV Catalog