CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership May 30, 2026

Palo Alto Networks PAN-OS Authentication Vulnerability Bypass Exploited in the Wild

Cybersecurity News Archived May 30, 2026 ✓ Full text saved

Palo Alto Networks authentication bypass vulnerability, CVE-2026-0257, affecting PAN-OS and Prisma Access, is now being actively exploited in the wild, with CISA adding it to the Known Exploited Vulnerabilities (KEV) catalog on May 29, 2026. Palo Alto Networks published its security advisory on May 13, 2026, warning that CVE-2026-0257 enables a remote unauthenticated attacker to […] The post Palo Alto Networks PAN-OS Authentication Vulnerability Bypass Exploited in the Wild appeared first on Cyb

Full text archived locally
✦ AI Summary · Claude Sonnet


    HomeCyber Security Palo Alto Networks PAN-OS Authentication Vulnerability Bypass Exploited in the Wild By Guru Baran May 30, 2026 Palo Alto Networks authentication bypass vulnerability, CVE-2026-0257, affecting PAN-OS and Prisma Access, is now being actively exploited in the wild, with CISA adding it to the Known Exploited Vulnerabilities (KEV) catalog on May 29, 2026. Palo Alto Networks published its security advisory on May 13, 2026, warning that CVE-2026-0257 enables a remote unauthenticated attacker to forge authentication override cookies and establish unauthorized VPN connections through the GlobalProtect gateway. The vulnerability exists in a non-default feature called “authentication override,” which allows GlobalProtect portals and gateways to issue session cookies to authenticated users similar to a bearer token, so users don’t need to re-authenticate each session. The flaw is triggered only when the certificate used to encrypt and decrypt these authentication override cookies is shared with another feature, such as the HTTPS service of the portal or gateway. Because the decryption process in the /usr/local/bin/gpsvc binary performs no signature verification after decrypting the cookie, any attacker who can retrieve the public key from the exposed HTTPS certificate can forge a valid authentication cookie and bypass authentication entirely. Rapid7 has identified the earliest exploitation on May 17, 2026, with a first wave of attacks originating from IPs hosted on Vultr. On May 18, Rapid7 detected suspicious cookie-based authentication to local admin accounts across multiple customer environments. The attacker used the machine name GP-CLIENT and a spoofed MAC address (aa:bb:cc:dd:ee:ff) to masquerade as a legitimate endpoint. A second exploitation wave occurred on May 21, 2026, this time originating from the hosting provider Dromatics Systems, using machine name DESKTOP-GP01. In this wave, some victims had full VPN IP assignments granted after the cookie authentication, giving attackers direct access to internal networks. Across both waves, the consistent spoofed MAC address suggests a single threat actor behind both campaigns. Notably, 8 out of 10 impacted MDR customers saw only authentication probes, not full VPN session establishment. Indicators of Compromise Indicator Type 104.207.144.154 Threat actor source IP (Wave 1) 146.19.216.119 / .120 / .125 Threat actor source IPs (Wave 2) aa:bb:cc:dd:ee:ff Spoofed MAC address (both waves) GP-CLIENT Machine name, Linux auth, May 17 DESKTOP-GP01 Machine name, Windows auth, May 21 Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM. Organizations must upgrade to patched versions immediately. Key fixed versions include PAN-OS 12.1.4-h6 / 12.1.7, PAN-OS 11.2.12, PAN-OS 11.1.15, and PAN-OS 10.2.18-h6, among others. Prisma Access 11.2.0 requires 11.2.7-h13 or later, and Prisma Access 10.2.0 requires 10.2.10-h36 or later. Mitigations Organizations should take the following actions immediately: Upgrade all affected PAN-OS and Prisma Access instances to vendor-patched versions Disable the authentication override feature if not operationally required Generate a dedicated certificate exclusively for authentication override cookie encryption — never share it with the HTTPS service Hunt for IOCs listed above across VPN and GlobalProtect authentication logs Deploy detection rules available for InsightIDR/MDR: including “Suspicious Authentication – Palo Alto GlobalProtect Cookie Authentication to Local Admin Account” Despite its medium CVSSv4 score, Rapid7 urges organizations to treat CVE-2026-0257 as a critical-priority vulnerability. An authentication bypass on an internet-facing enterprise VPN appliance represents a significant initial access vector, and with active exploitation confirmed and a public proof-of-concept script now available, the window for safe remediation is closing fast. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News New Zapocalypse Attack Chain Enables Full Zapier Account Takeover New PureLogs Variant Uses MsBuild.exe Process Hollowing to Evade Detection GHOST STADIUM Phishing Campaign Targets FIFA World Cup Fans With 300+ Fake Domains InvisibleFerret Malware Now Ships as .pyd and .so Files to Evade Script Detection Top 10 Best Static Application Security Testing (SAST) Tools for Security Teams in 2026 Latest News Cyber Security News Ransomware Uses SYSTEM Scheduled Task to Encrypt Local Drives With Elevated Privileges Cyber Security News JINX-0164 Threat Actor Using LinkedIn Social Engineering to Deploy Custom macOS Malware Cyber Security News Attackers Abuse Trusted Developer Tooling to Exfiltrate Source Code and Secrets Cyber Security From 200 CVEs to Actionable Fixes – DockSec Brings AI to Container Security Cyber Attack News Malicious NuGet Package as Sicoob SDK Exfiltrates Banking Passwords
    💬 Team Notes
    Article Info
    Source
    Cybersecurity News
    Category
    ◇ Industry News & Leadership
    Published
    May 30, 2026
    Archived
    May 30, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗