Critical Vulnerability in Palo Alto Networks Systems: Urgent Action Required
A serious authentication-bypass vulnerability has emerged, significantly impacting Palo Alto Networks’ PAN-OS and Prisma Access systems. Malicious actors are actively exploiting this flaw, which poses a substantial risk to affected organizations.
In light of these escalating attacks, the Cybersecurity and Infrastructure Security Agency (CISA) took swift action by adding the vulnerability, identified as CVE-2026-0257, to its Known Exploited Vulnerabilities (KEV) catalog on May 29, 2026. This inclusion alerts organizations to the seriousness of the threat, underscoring the need for immediate attention to security measures.
Despite the vulnerability receiving a medium score on the Common Vulnerability Scoring System version 4 (CVSSv4), security experts at Rapid7 are advising companies to regard it as a top-priority issue that necessitates urgent remediation. This guidance reflects the critical nature of the flaw and the potential consequences for organizations that fail to address it promptly.
Palo Alto Networks had initially disclosed CVE-2026-0257 on May 13, 2026. The vulnerability itself allows malicious actors to forge authentication override cookies remotely, enabling unauthorized Virtual Private Network (VPN) connections through the GlobalProtect gateway. This introduces significant risk to any organization utilizing these systems.
The underlying issue lies in a non-standard “authentication override” feature, which issues session cookies to authenticated users. This feature is designed to streamline user experience by eliminating the requirement for repeated logins. However, its exposure creates a pathway for attackers when the certificate used for encrypting these cookies is improperly shared with another service, such as the portal’s HTTPS service.
Once exploited, the decryption process within the system’s binary at /usr/local/bin/gpsvc does not include signature verification. Consequently, an attacker who extracts the public key from the exposed HTTPS certificate can easily create a forged cookie, thereby bypassing all authentication measures.
Rapid7’s researchers observed the first confirmed exploitation of this flaw on May 17, 2026. During this initial attack wave, cybercriminals launched suspicious cookie-based authentication requests targeted at local admin accounts across various customer environments. Investigating these incidents has revealed that the malicious traffic originated from specific IP addresses hosted on Vultr, where attackers masqueraded as legitimate endpoints by utilizing the machine name "GP-CLIENT" alongside a spoofed MAC address.
A second wave of attacks rolled out shortly after, commencing on May 21, 2026. This attack originated from another hosting provider, Dromatics Systems. During this phase, threat actors employed the machine name "DESKTOP-GP01," successfully securing full VPN IP assignments in various compromised environments. Such access grants them direct, and often unrestricted, entry into internal networks, elevating the stakes for affected organizations.
Notably, the sustained use of the same spoofed MAC address across both attack waves strongly suggests that a single threat actor is orchestrating these efforts. Additionally, it is crucial to note that eight out of ten impacted Rapid7 Managed Detection and Response (MDR) customers reported only authentication probes, indicating that full VPN session establishments were not universally achieved.
Indicators of Compromise
Organizations are encouraged to be vigilant and look for specific indicators of compromise as part of their security assessments. These indicators include:
- 104.207.144[.]154: Threat actor source IP from the first wave (Vultr)
- 146.19.216[.]119 / .120 / .125: Threat actor source IPs from the second wave (Dromatics)
- aa:bb:cc:dd:ee:ff: Spoofed MAC address observed in both waves
- GP-CLIENT: Machine name utilized in Linux authentication on May 17
- DESKTOP-GP01: Machine name used in Windows authentication on May 21
Administrators are urged to immediately update affected PAN-OS and Prisma Access instances to secure versions to avert potential network compromises. Key versions that require updating include 12.1.4-h6, 12.1.7, 11.2.12, 11.1.15, and 10.2.18-h6 for PAN-OS environments. Organizations utilizing Prisma Access version 11.2.0 should upgrade to 11.2.7-h13 or later, while those on version 10.2.0 need to upgrade to 10.2.10-h36 or future releases.
Mitigation Strategies
To safeguard their environments, administrators are advised to first disable the authentication override feature entirely, especially if it is not critical for operations. If maintaining this feature is necessary, security teams must generate a dedicated certificate specifically for encrypting authentication override cookies and ensure that this certificate is never shared with the HTTPS service or any other network component.
Furthermore, organizations should actively seek out the previously mentioned indicators in all VPN and GlobalProtect authentication logs. As a supplemental defensive measure, security operations centers should adopt relevant detection rules that enable monitoring for suspicious GlobalProtect cookie authentication attempts targeting local administrator accounts.
In conclusion, the authentication-bypass vulnerability affecting Palo Alto Networks’ systems serves as a wake-up call for organizations to reassess their cybersecurity posture. With attackers increasingly targeting such flaws, immediate proactive measures are essential to safeguard sensitive data and maintain network integrity.