A critical authentication bypass vulnerability in Palo Alto Networks PAN-OS and Prisma Access — tracked as CVE-2026-0257 — is now being actively exploited in the wild, with the U.S. Cybersecurity and Infrastructure Security Agency (CISA) adding it to the Known Exploited Vulnerabilities (KEV) catalog on May 29, 2026. Organizations running GlobalProtect VPN gateways should treat this as an emergency and patch immediately.
What Is CVE-2026-0257?
Palo Alto Networks published its security advisory on May 13, 2026, disclosing that CVE-2026-0257 enables a remote, unauthenticated attacker to forge authentication override cookies and establish unauthorized VPN connections through the GlobalProtect gateway. The vulnerability resides in a non-default feature called authentication override, which allows GlobalProtect portals and gateways to issue session cookies to authenticated users — similar to a bearer token — so users do not need to re-authenticate each session.
The flaw is triggered only when the certificate used to encrypt and decrypt these authentication override cookies is shared with another feature, such as the HTTPS service of the portal or gateway. Because the decryption process in the /usr/local/bin/gpsvc binary performs no signature verification after decrypting the cookie, any attacker who can retrieve the public key from the exposed HTTPS certificate can forge a valid authentication cookie and bypass authentication entirely.
Active Exploitation: Two Distinct Waves
Rapid7 identified the earliest confirmed exploitation on May 17, 2026, with a first wave of attacks originating from IPs hosted on the cloud provider Vultr. On May 18, Rapid7 detected suspicious cookie-based authentication to local admin accounts across multiple customer environments. The attacker used the machine name GP-CLIENT and a spoofed MAC address (aa:bb:cc:dd:ee:ff) to masquerade as a legitimate endpoint.
A second exploitation wave occurred on May 21, 2026, originating from Dromatics Systems, using machine name DESKTOP-GP01. In this wave, some victims received full VPN IP assignments after cookie authentication, granting attackers direct access to internal networks. Across both waves, the consistent spoofed MAC address strongly suggests a single threat actor behind both campaigns. Notably, 8 out of 10 impacted MDR customers saw only authentication probes, not full VPN session establishment — indicating active reconnaissance across a broad range of targets.
Indicators of Compromise
Organizations should hunt for the following indicators across VPN logs, GlobalProtect authentication logs, and network traffic:
- Source IPs (Wave 1): 104.207.144.154 (Vultr-hosted)
- Source IPs (Wave 2): 146.19.216.119, 146.19.216.120, 146.19.216.125 (Dromatics Systems)
- Spoofed MAC address: aa:bb:cc:dd:ee:ff (consistent across both waves)
- Machine name Wave 1: GP-CLIENT (Linux authentication)
- Machine name Wave 2: DESKTOP-GP01 (Windows authentication)
Affected Versions and Patches
The vulnerability affects a wide range of PAN-OS versions. Key fixed versions include:
- PAN-OS 12.1: Fixed in 12.1.4-h6 and 12.1.7
- PAN-OS 11.2: Fixed in 11.2.12
- PAN-OS 11.1: Fixed in 11.1.15
- PAN-OS 10.2: Fixed in 10.2.18-h6
- Prisma Access 11.2.0: Requires 11.2.7-h13 or later
- Prisma Access 10.2.0: Requires 10.2.10-h36 or later
Mitigations and Recommended Actions
Despite a medium CVSSv4 score, Rapid7 urges organizations to treat CVE-2026-0257 as a critical-priority vulnerability. An authentication bypass on an internet-facing enterprise VPN appliance represents a significant initial access vector, and with active exploitation confirmed and a public proof-of-concept available, the remediation window is closing fast.
Organizations should take the following steps immediately:
- Upgrade all affected PAN-OS and Prisma Access instances to vendor-patched versions without delay.
- Disable the authentication override feature if it is not operationally required.
- Generate a dedicated certificate exclusively for authentication override cookie encryption — never share it with the HTTPS service.
- Hunt for the indicators of compromise listed above across VPN and GlobalProtect authentication logs.
- Deploy detection rules for suspicious cookie-based authentication to local admin accounts in your SIEM or EDR platform.
- Review VPN session logs for the machine names GP-CLIENT and DESKTOP-GP01, and block the known source IP ranges.
Why This Matters
Enterprise VPN gateways are high-value targets because they sit at the perimeter of corporate networks and, when compromised, grant attackers direct access to internal systems. The combination of a forged cookie bypass and zero authentication requirements makes CVE-2026-0257 especially dangerous — an attacker needs no credentials, only the public key from the exposed certificate. Given the speed of exploitation observed (within four days of the advisory becoming public knowledge in the threat actor community), this vulnerability should be prioritized above all other patching work until remediated.
CISA's addition to the KEV catalog means all U.S. federal civilian agencies are now legally required to patch by the specified deadline, and private sector organizations should treat that timeline as a strong indicator of urgency.