Exploit for Reliance on Cookies without Validation and Integrity Checking in Paloaltonetworks Pan-Os CVE-2026-0257

Name: Exploit for Reliance on Cookies without Validation and Integrity Checking in Paloaltonetworks Pan-Os CVE-2026-0257
Rating: 5 (13 reviews)
2026-06-10 | CVSS 9.1
## https://sploitus.com/exploit?id=2C789584-82FD-5503-B3B1-B5B9573BD5DA
# 🚨 CVE-2026-0257 – PAN-OS GlobalProtect Authentication Bypass

![CVE](https://img.shields.io/badge/CVE-2026--0257-red)
![Severity](https://img.shields.io/badge/Severity-HIGH-orange)
![CVSS](https://img.shields.io/badge/CVSS-7.8-critical)
![Status](https://img.shields.io/badge/Exploitation-Active-red)
![License](https://img.shields.io/badge/License-MIT-blue)

> Security research, technical analysis, detection guidance, IOC collection, and defensive validation resources for CVE-2026-0257.

---

## 📌 Overview

CVE-2026-0257 is an authentication bypass vulnerability affecting Palo Alto Networks GlobalProtect Portal and Gateway deployments running vulnerable PAN-OS versions under specific configurations.

The vulnerability stems from improper trust of Authentication Override cookies, allowing attackers to bypass authentication mechanisms and establish unauthorized VPN connections when exposed configurations are present.

**Vendor Severity:** HIGH
**CVSS v4:** 7.8
**Exploitation Status:** Actively Exploited in the Wild
**CISA KEV:** Added

---

## ⚡ Impact

An attacker may be able to:

* Bypass authentication controls
* Establish unauthorized VPN sessions
* Access internal network resources
* Impersonate legitimate users
* Launch post-authentication attacks against enterprise environments

---

## 🎯 Vulnerability Conditions

A target is generally exposed when:

* GlobalProtect Portal or Gateway is enabled
* Authentication Override is enabled
* Authentication Override cookies are accepted
* Certificate reuse exposes the cookie encryption public key

### Typical Attack Flow

```text
Attacker
    │
    ▼
Obtain Public Key
    │
    ▼
Forge Authentication Cookie
    │
    ▼
Submit Cookie to GlobalProtect
    │
    ▼
Authentication Bypass
    │
    ▼
Unauthorized VPN Access
```

---

## 🔍 Technical Summary

Research indicates that Authentication Override cookies are decrypted and trusted without sufficient integrity validation.

When the same certificate is reused for both:

* HTTPS Service
* Authentication Override Cookie Encryption

an attacker may be able to obtain the corresponding public key and generate forged cookies accepted by vulnerable systems.

---

## 🛡 Affected Products

| Product            | Affected Versions                       |
| ------------------ | --------------------------------------- |
| PAN-OS 10.2        | Multiple versions prior to vendor fixes |
| PAN-OS 11.1        | Multiple versions prior to vendor fixes |
| PAN-OS 11.2        | Multiple versions prior to vendor fixes |
| PAN-OS 12.1        | Multiple versions prior to vendor fixes |
| Prisma Access 10.2 | Vulnerable releases                     |
| Prisma Access 11.2 | Vulnerable releases                     |

Refer to the official Palo Alto Networks advisory for exact version information.

---

## 🔥 Known Exploitation

Rapid7 observed active exploitation beginning in May 2026.

Observed attacker activity included:

* Suspicious cookie-based VPN authentications
* Authentication bypass attempts
* Unauthorized VPN tunnel establishment
* Repeated exploitation from cloud-hosted infrastructure

---

## 🚩 Indicators of Compromise (IOCs)

### Source IP Addresses

```text
104.207.144.154
146.19.216.119
146.19.216.120
146.19.216.125
209.99.191.137
79.130.26.202
```

### Observed Hostnames

```text
GP-CLIENT
DESKTOP-GP01
Jocker
```

### Observed MAC Address

```text
aa:bb:cc:dd:ee:ff
```

---

## 🔎 Detection Opportunities

Monitor for:

* Cookie-based GlobalProtect logins
* Unexpected VPN authentications
* VPN sessions without corresponding MFA events
* Connections from unfamiliar IP ranges
* Authentication attempts using generic hostnames
* Suspicious activity following VPN establishment

---

## 🛠 Mitigation

### Immediate Actions

* Upgrade PAN-OS to a fixed version.
* Disable Authentication Override where possible.
* Deploy a dedicated certificate exclusively for Authentication Override cookies.
* Review GlobalProtect authentication logs.
* Hunt for IOC matches within VPN logs.

### Recommended Priority

| Environment                                   | Priority        |
| --------------------------------------------- | --------------- |
| Internet-facing GlobalProtect + Auth Override | 🔴 Critical     |
| Internet-facing GlobalProtect                 | 🟠 High         |
| Internal-only Deployments                     | 🟡 Medium       |
| Panorama / Cloud NGFW                         | 🟢 Not Affected |

---

## 📚 References

* Palo Alto Networks Security Advisory
* Rapid7 Technical Analysis
* CISA Known Exploited Vulnerabilities Catalog
* MITRE CVE Database

---

## ⚠ Disclaimer

This repository is intended solely for:

* Security Research
* Defensive Validation
* Threat Hunting
* Detection Engineering
* Educational Purposes

The authors do not encourage, support, or condone unauthorized access to any system. Users are solely responsible for ensuring that all testing is performed with proper authorization and in compliance with applicable laws and organizational policies.

---

## ⭐ Support

If this research helps your team:

🌟 Star the repository
🔄 Share with defenders
🛡 Help organizations patch vulnerable systems

---

**[Maintained by GrayXploit Security Research Team](https://grayxploit.com/)**