Share
## https://sploitus.com/exploit?id=52FC422B-D7A9-57FF-8D23-9EC29A24B40D
# CVE-2026-0265 Vulnerability Assessment Tool

Safely detect whether a [Palo Alto Networks PAN-OS](https://www.paloaltonetworks.com/network-security/next-generation-firewall) firewall, gateway, or Panorama instance is vulnerable to CVE-2026-0265 without authenticating any session.

## Description

CVE-2026-0265 is a remote authentication bypass affecting PAN-OS and Panorama that triggers when an authentication profile uses Cloud Authentication Service (CAS). The vulnerable `pan_auth_verify` function in `libpanmp_mp.so` dispatches JSON Web Token signature verification purely on the attacker-controlled `alg` header โ€” a forged JWT with `alg=HS256` and `HMAC-SHA256(cas_public_key_pem, header.payload)` as its signature will be accepted as if it were a real RS256-signed CAS token, letting any attacker impersonate any user. The same bug is reachable through two attack surfaces:

* **GlobalProtect portal** โ€” `POST /SAML20/SP/ACS` โ†’ nginx โ†’ `gpsvc` โ†’ `pan_jwt_verify`. Compromise yields a VPN session as the impersonated user.
* **Management UI** โ€” `POST /SAML20/SP/ACS` โ†’ nginx โ†’ `DualLogin.php` โ†’ `authd` โ†’ `pan_jwt_verify`. Compromise yields full PAN-OS admin (configuration write, CLI shell, secret read).

This tool performs non-destructive detection in two phases:

1. **Passive fingerprint** โ€” GETs known PAN-OS landing pages (`/global-protect/login.esp`, `/SAML20/SP/ACS`, `/php/login.php`, etc.) to identify the target as a PAN-OS portal and to confirm the precondition that CAS or SAML is attached to at least one admin or portal profile. No JWT is ever submitted in this phase.
2. **Probe oracle** โ€” POSTs three deliberately invalid JWTs (`alg=HS256`, `alg=RS256`, `alg=none`) to the assertion-consumer routes and reads the `` value embedded in the resulting error page. The status code in that field correlates with build version: `0` on known-vulnerable PAN-OS builds, `-1` on known-patched builds. None of the three JWTs can authenticate anything โ€” every one is a structurally-valid token with a random signature.

* **Vulnerable targets** return `0` across all three probes โ†’ verdict `likely-vulnerable`.
* **Patched targets** return `-1` across all three probes โ†’ verdict `likely-patched`.
* **Targets without CAS attached** return 404 on `/SAML20/SP/ACS` โ†’ verdict `precondition-absent` (the bug is not reachable on this host even if the build is vulnerable).
* **Non-PAN-OS targets** produce no fingerprint hits โ†’ verdict `not-applicable`.

The verdict is surfaced as `likely-*` because the empirical mapping is based on n=2 lab targets and the status-code value is build-correlated rather than a direct per-alg bug fingerprint. Pair with a PAN-OS version fingerprinter for a definitive call.

## Installation

```bash
git clone https://github.com/BishopFox/CVE-2026-0265-check
cd CVE-2026-0265-check
```

No external dependencies. The scanner uses only Python standard library modules.

## Usage

Run with one or more targets as positional arguments, a file of targets, or by piping targets on stdin. Hostnames are auto-wrapped to `https:///`.

```bash
python3 CVE-2026-0265-check.py [options]  [...]
```

| Flag | Meaning |
|---|---|
| `-m`, `--mode {passive,probe,both}` | passive: GET-only fingerprint. probe: also POST the three invalid JWTs and read the status oracle. both: passive sweep, then auto-promote CAS-positive hits to probe. **Default: both** |
| `-f`, `--targets-file FILE` | Read one target per line from FILE |
| `-t`, `--timeout SECONDS` | Per-request timeout. Default: 10.0 |
| `-c`, `--concurrent N` | Max parallel targets. Default: 10 |
| `-b`, `--brief` | Emit ` ` per target instead of full JSON |

Output is one JSON object per target on stdout (jq-friendly). Pass `-b` for one-line-per-target triage output. Exit code is `1` if any target hits `likely-vulnerable`, `0` otherwise.

### Example: Vulnerable Target

```text
$ python3 CVE-2026-0265-check.py -b gp.example.com
https://gp.example.com/ likely-vulnerable
```

```json
$ python3 CVE-2026-0265-check.py gp.example.com | jq .
{
  "target": "https://gp.example.com/",
  "mode": "both",
  "verdict": "likely-vulnerable",
  "passive": {
    "panos_indicator": true,
    "cas_indicator": true,
    "cas_evidence": ["/SAML20/SP/ACS status=200 (mgmt SAML/CAS enabled)"],
    ...
  },
  "probe": {
    "probe_url": "https://gp.example.com/SAML20/SP/ACS",
    "diff": {
      "a_saml_auth_status": "0",
      "b_saml_auth_status": "0",
      "c_saml_auth_status": "0",
      ...
    },
    "verdict": "likely-vulnerable",
    "notes": [
      "Body oracle defeated by error normalization, but gpsvc's  is '0' across all probes โ€” the build-correlation signal observed on known-vulnerable PAN-OS builds (n=2 lab targets, 2026-05-20). Confirm with version fingerprint."
    ]
  }
}
```

### Example: Patched Target

```text
$ python3 CVE-2026-0265-check.py -b gp.example.com
https://gp.example.com/ likely-patched
```

### Example: PAN-OS Without CAS

```text
$ python3 CVE-2026-0265-check.py -b mgmt.example.com
https://mgmt.example.com/ precondition-absent
```

The host is identified as PAN-OS but no admin or portal profile has CAS attached, so the bug is not reachable here even if the build is vulnerable.

### Example: Mass Sweep

```bash
$ cat targets.txt | python3 CVE-2026-0265-check.py -b -c 25
https://gp1.example.com/ likely-vulnerable
https://gp2.example.com/ likely-patched
https://mgmt1.example.com/ precondition-absent
https://www.example.com/ not-applicable
...
```

For larger inventories, run passive first to identify the CAS-positive subset cheaply, then run probe against just that subset:

```bash
python3 CVE-2026-0265-check.py -m passive  cas-positive.txt

python3 CVE-2026-0265-check.py -m probe -c 5 0`. Build matches the known-vulnerable fingerprint. Confirm with version check. |
| `likely-patched` | All three probes returned `-1`. Build matches the known-patched fingerprint. Confirm with version check. |
| `likely-patched-or-mitigated` | HS256 and RS256 produced indistinguishable responses but `alg=none` produced a different one. Consistent with the h17 PEM-prefix guard collapsing both alg paths into the same error. |
| `precondition-met` | (passive-only mode) CAS or SAML is attached to at least one profile. The host is in scope; run probe mode for a vulnerability call. |
| `precondition-absent` | PAN-OS detected but no CAS or SAML configured. The bug is not reachable on this host. |
| `indeterminate-try-again` | All three probes were byte-identical and no `` field was present. Diagnostic leaks are closed at the response layer; an external probe cannot tell. Re-run with longer pacing or pair with a version fingerprinter. |
| `probe-route-not-found` | None of the four candidate assertion-consumer routes responded. Unusual on a CAS-positive target; the host may have a non-standard nginx layout. |
| `not-applicable` | No PAN-OS / GlobalProtect indicators in the passive fingerprint. Not a Palo Alto target. |
| `inconclusive` | Responses differed in shape but not in identifiable error vocabulary, and no status-code oracle was present. Manual inspection of `probe.response_{a,b,c}` recommended. |

## Preconditions

The tool can only detect the vulnerability if the following conditions are met:

* The target is running an affected PAN-OS or Panorama build (10.2.0โ€“10.2.17, 11.1.0โ€“11.1.14, 11.2.0โ€“11.2.11, 12.1.2โ€“12.1.6).
* The GlobalProtect portal or management web interface is reachable on TCP/443.
* At least one authentication profile attached to a portal or admin role uses Cloud Authentication Service (CAS) as its authentication method.

If CAS is not attached anywhere, the bug is not reachable on that host even on an otherwise-vulnerable build, and the tool will report `precondition-absent`.

## License

This code is distributed under an [MIT license](LICENSE).

## Legal Disclaimer

Usage of this tool for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state, and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program.

## See Also

* [Palo Alto Networks Advisory CVE-2026-0265](https://security.paloaltonetworks.com/CVE-2026-0265)
* [NVD โ€” CVE-2026-0265](https://nvd.nist.gov/vuln/detail/CVE-2026-0265)