
On May 13, 2026, Palo Alto Networks disclosed CVE-2026-0257, an authentication bypass vulnerability affecting PAN-OS GlobalProtect Portal and Gateway components. Just four days after disclosure, active exploitation attempts were already being observed in the wild. Following the public release of a proof-of-concept (PoC) exploit on May 29, attacks rapidly escalated. On the same day, the vulnerability was added to the Known Exploited Vulnerabilities (KEV) catalog by Cybersecurity and Infrastructure Security Agency, which directed federal agencies to implement mitigations by June 1.
Although assigned a CVSS v3.1 score of 7.8 (High), CVE-2026-0257 represents a case where the numerical severity rating significantly understates the real-world risk. An unauthenticated remote attacker can leverage the public key exposed through a GlobalProtect Portal TLS certificate to forge authentication override cookies, completely bypassing all authentication controls, including multi-factor authentication (MFA), and establish direct VPN access into a corporate network. In environments where GlobalProtect portals are internet-accessible and specific certificate configurations are present, exploitation can be performed without any valid credentials.
In this article, we examine the technical root cause of CVE-2026-0257, analyze the two major waves of observed exploitation activity, and explore the attack surface created by externally exposed GlobalProtect assets.
CVE-2026-0257 Vulnerability Overview

| Category | Description |
|---|---|
| Vulnerability ID | CVE-2026-0257 |
| Affected Product | PAN-OS GlobalProtect Portal 및 Gateway |
| Vulnerability Type | Authentication Bypass |
| CWE | CWE-565: Improper Cookie Validation and Integrity Check |
| CVSS Score | 7.8 (High) / NVD: 9.1 Critical |
| Attack Conditions | Remote attack possible, No authentication required |
| Impact | Security controls bypassed, Unauthorized VPN connection possible |
| Exploitation Status | Limited real-world exploitation observed |
CVE-2026-0257 is an authentication bypass vulnerability affecting GlobalProtect Portal and Gateway deployments. Under vulnerable configuration conditions, attackers can circumvent security controls and establish VPN connections without successfully completing the authentication process.
The issue is particularly associated with the Authentication Override Cookie feature used by GlobalProtect. This mechanism is designed to reduce repeated authentication prompts after a user has already completed a successful login. However, when cookie validation and integrity verification are insufficient, or when authentication cookie certificates are improperly configured, attackers can abuse the feature to bypass the normal authentication workflow.
VPN infrastructure serves as a critical gateway into internal corporate networks. As a result, successful authentication bypass can provide attackers with direct access to internal resources while appearing as legitimate remote users. This elevates the impact far beyond that of a typical web application vulnerability.
Technical Root Cause: Improper Validation of Authentication Override Cookies
Understanding CVE-2026-0257 requires examining how the Authentication Override Cookie feature is intended to function and where the design flaw emerges.
Intended Purpose of Authentication Override Cookies
GlobalProtect issues an encrypted cookie after a user successfully authenticates. During subsequent connections, the user can present this cookie to avoid repeating MFA challenges or other complex authentication procedures. This feature is commonly used to improve the user experience in large-scale remote access environments.
Vulnerability: Reuse of the Same Certificate Enables Public Key Abuse
The vulnerability arises when the certificate used to encrypt and decrypt authentication override cookies is the same certificate used by the GlobalProtect Portal or Gateway for HTTPS services. Because HTTPS service certificates expose their public keys during the TLS handshake process, any remote user can obtain them. An attacker can simply connect to a GlobalProtect Portal, collect the certificate chain, and extract the corresponding public keys. These public keys can then be used to generate forged authentication override cookies.
The critical design flaw lies in the server-side validation process. When processing authentication override cookies, the server fails to perform adequate integrity signature verification. If a cookie can be successfully decrypted using the expected key, its contents are trusted without verifying whether the cookie was legitimately generated. As a result, attackers can craft arbitrary authentication override cookies containing usernames of their choosing, including administrative accounts. The server interprets these forged cookies as valid authenticated sessions and permits VPN access accordingly.
Notably, this attack does not require:
- Credential theft
- MFA bypass techniques
- Remote code execution
- Prior access to the target environment
Once public PoC code became available, exploitation workflows became highly automatable. Consequently, vulnerable GlobalProtect Portals quickly became attractive targets for large-scale internet-wide scanning and exploitation campaigns.
Attack Waves: From Limited Reconnaissance to Mass Exploitation

Observed exploitation activity unfolded in two distinct phases.
Wave 1 (May 17–21, 2026): Targeted and Stealthy Attacks Before Public PoC Release
The first exploitation attempts were observed on May 17, just four days after the vulnerability disclosure on May 13. Because no public proof-of-concept (PoC) was available at the time, these attacks are believed to have been conducted by threat actors who had independently analyzed and understood the underlying vulnerability. A second, limited wave of activity was observed on May 21 using the same MAC address as the earlier attacks, suggesting involvement from the same threat actor. During this phase, researchers confirmed cases where VPN IP addresses were successfully assigned following cookie-based authentication, indicating that attackers achieved access to internal networks.
Wave 2 (Beginning May 30, 2026): Large-Scale Automated Exploitation Following PoC Publication
After public PoC code was released on May 29, exploitation activity surged dramatically beginning the following day. Most attacks during this phase originated from VPS-hosted infrastructure and appeared to be highly automated reconnaissance operations. In several intrusion attempts, attackers established IPSec tunnels and immediately launched internal SMB and NTLM reconnaissance using the Impacket toolkit. This behavior suggests a post-compromise workflow focused on rapidly expanding access within victim environments after obtaining initial footholds. The observed tactics are consistent with those commonly associated with ransomware-affiliated threat actors.
One notable finding is that approximately 80% of affected environments showed successful acceptance of forged authentication cookies without subsequently establishing a fully operational VPN session, including VPN IP assignment. This indicates that while attackers frequently succeeded in validating forged cookies, only a subset ultimately gained full access to internal networks. Organizations should therefore treat cookie authentication acceptance events as indicators of compromise, even if no VPN IP assignment or complete VPN session appears in the logs. The presence of a successful cookie authentication event alone may indicate an attempted exploitation of CVE-2026-0257 and warrants immediate investigation.
Internet-Exposed GlobalProtect Portal Assets Observable Through Criminal IP
Assessing the real-world risk of CVE-2026-0257 requires more than simply determining whether a vulnerable configuration exists. Organizations must also identify whether their GlobalProtect Portal or Gateway is externally accessible and discoverable from the public internet. Using Criminal IP Asset Search, exposed GlobalProtect Portal assets can be identified through HTML title-based search conditions, enabling security teams to evaluate the extent of their external attack surface and identify systems that may be targeted by opportunistic or automated exploitation campaigns.

Criminal IP Search Query: title: GlobalProtect Portal
This query can be used to identify assets whose HTML title contains the string “GlobalProtect Portal.” The presence of this title indicates that an internet-accessible web interface can be recognized as a GlobalProtect Portal. Using Criminal IP Asset Search, approximately 160,000 assets matching this condition were identified. Because GlobalProtect Portal serves as the primary entry point for VPN users accessing internal networks, any portal that is discoverable from the public internet may become a target for automated scanning, reconnaissance, and vulnerability validation activities conducted by attackers.
This is particularly significant in the context of CVE-2026-0257, which allows attackers to bypass authentication controls and establish VPN connections without valid credentials under vulnerable conditions. As a result, the mere fact that a GlobalProtect Portal is externally exposed becomes an important risk indicator. Organizations should therefore move beyond simply verifying their PAN-OS version and first determine which GlobalProtect Portal instances are actually discoverable from the internet and potentially exposed to opportunistic attacks.
Analysis of an Individually Exposed GlobalProtect Portal Asset

A detailed examination of one externally exposed GlobalProtect Portal asset identified through the above query revealed several additional security concerns. According to Criminal IP analysis, the asset was classified as having a relatively high risk profile. The system was geolocated in the United States and was found to have nine open ports and two associated vulnerabilities.
The following TCP ports were exposed:
- TCP 4646
- TCP 12292
- TCP 12293
- TCP 12294
- TCP 12295
- TCP 12296
- TCP 12297
- TCP 12298
- TCP 12299
Several of these exposed services were flagged with vulnerability indicators, suggesting that the asset’s attack surface extends beyond the VPN portal itself. Rather than representing a standalone GlobalProtect deployment, the system may also expose additional services that could provide alternative attack paths.
Cases such as this demonstrate why responding to CVE-2026-0257 requires more than simply determining whether a GlobalProtect Portal is externally accessible.
Security teams should evaluate multiple factors simultaneously, including:
- Internet exposure status
- Open ports
- Associated vulnerabilities
- SSL/TLS certificate configuration
- Additional exposed services
Combining these indicators provides a more accurate assessment of real-world exploitation risk and helps prioritize remediation efforts more effectively.
Because GlobalProtect Portal functions as a perimeter VPN asset that controls access to internal networks, any portal that is publicly discoverable should be reviewed immediately. Regardless of whether CVE-2026-0257 has been actively exploited, organizations should assess configuration settings, reduce unnecessary exposure, and implement appropriate access restrictions wherever possible.
Externally Exposed GlobalProtect Portal Assets in the United States
GlobalProtect Portal is widely deployed as part of remote access infrastructure across organizations worldwide. Examining exposure by country can help identify regions and operational environments where security assessments should be prioritized. Criminal IP Asset Search provides country-based filtering capabilities that allow security teams to identify and analyze GlobalProtect Portal assets exposed within specific countries. This visibility helps organizations better understand regional exposure trends and evaluate the scale of potentially accessible VPN infrastructure.

Criminal IP Search Query: title: GlobalProtect Portal country: “US”
This query identified approximately 22,860 assets and is used to discover externally exposed GlobalProtect Portal instances that are geolocated in the United States. The United States hosts a significant concentration of cloud infrastructure, data centers, and remote access environments, making it one of the regions where VPN perimeter assets such as GlobalProtect Portal are most frequently observed.
Country-level exposure analysis provides more than simple statistical insight. Threat actors often narrow their target selection based on geographic location, industry sector, cloud providers, hosting ranges, or specific infrastructure characteristics. Security teams should adopt a similar perspective when prioritizing externally exposed assets for assessment and remediation.
For vulnerabilities such as CVE-2026-0257, where active exploitation has already been observed, organizations should evaluate exposed assets alongside factors such as:
- Patch status
- SSL/TLS certificate configuration
- Inbound threat scores
- Exposure level
- Associated vulnerabilities
Combining these indicators helps identify assets that require immediate attention and remediation.
Patch Status and Mitigation Recommendations
Responding to CVE-2026-0257 requires more than simply determining whether a vulnerable version is deployed. In environments where GlobalProtect Portal and Gateway components operate together, organizations should ensure that both components are upgraded consistently. Deployments utilizing Authentication Override Cookies must also consider authentication cookie compatibility during the update process.
According to vendor guidance, affected PAN-OS releases include portions of the following branches:
- PAN-OS 10.2
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 12.1
Organizations should upgrade to the corresponding fixed versions recommended for their deployment branch. Particular attention should be paid to environments using Authentication Override Cookies, as all GlobalProtect Portal and Gateway instances should be updated together to the recommended fixed versions.
Recommended Immediate Actions
- Verify whether GlobalProtect Portal and Gateway services are externally exposed
- Confirm deployed PAN-OS versions and identify available fixed versions
- Determine whether Authentication Override Cookies are enabled
- Verify whether a dedicated certificate is being used for authentication cookies
- Separate Portal/Gateway HTTPS certificates from certificates used for authentication cookies
- Disable Authentication Override functionality if it is not operationally required
- Upgrade all GlobalProtect Portal and Gateway instances to the recommended fixed versions
- Inform users that re-authentication may be required following upgrades
- Review logs for gateway-connected events and publicly released indicators of compromise (IoCs)
- Strengthen access controls for internet-accessible VPN portals
Vendor mitigation guidance specifically recommends creating a dedicated certificate exclusively for Authentication Override Cookies and ensuring that it is not reused as the HTTPS certificate for Portal or Gateway services.
Where business requirements permit, disabling the Authentication Override feature entirely may be the most direct way to reduce exposure. Even after patching, log review remains essential. If attackers have already generated gateway-connected events, software updates alone cannot determine whether unauthorized access or internal reconnaissance occurred before remediation. Effective response therefore requires a combination of patching, configuration review, log analysis, and external exposure validation.
FAQ
Q1. CVE-2026-0257 is rated CVSS 7.8 (High). Why should it be prioritized?
A CVSS score of 7.8 reflects the technical characteristics used during vulnerability scoring. However, CVE-2026-0257 is an authentication bypass vulnerability that can allow attackers to establish GlobalProtect VPN connections without valid credentials, and active exploitation has already been observed. Because VPN infrastructure serves as a gateway into internal corporate networks, the presence of this vulnerability on an internet-accessible GlobalProtect Portal represents a practical risk that extends well beyond a typical “High” severity rating. Organizations should prioritize remediation based on exposure and exploitation likelihood rather than relying solely on CVSS values.
Q2. What can attackers do after successfully establishing a VPN connection?
In observed intrusion activity, attackers who successfully obtained VPN access immediately used the Impacket framework to generate SMB and NTLM reconnaissance traffic within internal networks.
Such activity may lead to:
- Active Directory enumeration
- Collection of domain user and computer inventories
- Credential hash capture attempts
- Privilege escalation opportunities
- Lateral movement preparation
These actions closely align with the reconnaissance phase commonly observed prior to ransomware deployment and large-scale data theft operations. A VPN authentication bypass should therefore be viewed as a successful breach of the network perimeter. The extent of subsequent compromise depends largely on internal segmentation controls and the organization’s overall security architecture.
Conclusion
CVE-2026-0257 highlights two critical challenges facing modern network security.
From a technical perspective, it demonstrates how a convenience feature such as Authentication Override Cookies can become a complete authentication bypass mechanism when combined with a common operational practice like certificate reuse. The vulnerability does not rely on credential theft, MFA bypass techniques, or code execution. Instead, it exploits a failure in the trust model itself by enabling attackers to forge artifacts that the server inherently trusts. From an operational perspective, the vulnerability illustrates the limitations of relying solely on CVSS scores when prioritizing remediation efforts. While many organizations may have viewed a CVSS 7.8 rating as a candidate for routine patching, active exploitation was already underway. Attacks began within days of disclosure, continued throughout the 16-day period before public PoC release, and accelerated significantly afterward.
The most important lesson from this incident is that patch prioritization should be driven not only by severity scores, but also by real-world exploitation activity and external exposure. For organizations currently operating GlobalProtect infrastructure, two questions should be answered immediately:
- Is Authentication Override Cookie functionality enabled?
- Is the authentication cookie certificate shared with other services or certificates?
If the answer to both questions is yes, the organization’s VPN gateway may already be a target of automated exploitation attempts occurring across the internet today.
In relation to this, you can refer to SonicWall SSL-VPN MFA Bypass Vulnerability: The Attack Surface Between “Patched” and “Protected”
You can subscribe to Criminal IP (criminalip.io/register) and start detecting vulnerable assets right away. You can also request a demo using the button below and explore Criminal IP’s threat intelligence (TI) analysis of externally exposed assets at the enterprise level.

This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Sign up for a free Criminal IP account today to explore the search results mentioned in the report and delve into comprehensive threat intelligence.
Source: Criminal IP(https://www.criminalip.io), SC Media(https://www.scworld.com/news/pan-os-globalprotect-bug-actively-exploited-added-to-cisas-kev-list), TheHackerNews(https://thehackernews.com/2026/06/palo-alto-warns-of-active-exploitation.html), Cyber Security News(https://cybersecuritynews.com/palo-alto-vpn-vulnerability-exploited/)
Related article: https://www.criminalip.io/knowledge-hub/blog/34923
