{"id":13262,"date":"2026-05-30T10:03:39","date_gmt":"2026-05-30T10:03:39","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/05\/30\/palo-alto-networks-pan-os-authentication-vulnerability-bypass-exploited-in-the-wild\/"},"modified":"2026-05-30T10:03:39","modified_gmt":"2026-05-30T10:03:39","slug":"palo-alto-networks-pan-os-authentication-vulnerability-bypass-exploited-in-the-wild","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/05\/30\/palo-alto-networks-pan-os-authentication-vulnerability-bypass-exploited-in-the-wild\/","title":{"rendered":"Palo Alto Networks PAN-OS Authentication Vulnerability Bypass Exploited in the Wild"},"content":{"rendered":"

Palo Alto Networks PAN-OS Authentication Vulnerability Bypass Exploited in the Wild
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

Palo Alto Networks authentication bypass vulnerability, CVE-2026-0257, affecting PAN-OS and Prisma Access, is now being actively exploited in the wild, with CISA adding it to the Known Exploited Vulnerabilities (KEV) catalog on May 29, 2026.<\/p>\n

Palo Alto Networks published its security advisory on May 13, 2026, warning that CVE-2026-0257 enables a remote unauthenticated attacker to forge authentication override cookies and establish unauthorized VPN connections<\/a> through the GlobalProtect gateway.<\/p>\n

The vulnerability exists in a non-default feature called \u201cauthentication override,\u201d which allows GlobalProtect portals and gateways to issue session cookies to authenticated users similar to a bearer token, so users don\u2019t need to re-authenticate each session.<\/p>\n

The flaw is triggered only when the certificate used to encrypt and decrypt these authentication override cookies is shared with another feature, such as the HTTPS service of the portal or gateway.<\/p>\n

Because the decryption process in the \/usr\/local\/bin\/gpsvc<\/code> binary performs no signature verification after decrypting the cookie, any attacker who can retrieve the public key from the exposed HTTPS certificate can forge a valid authentication cookie and bypass authentication entirely.<\/p>\n

Rapid7 has identified the earliest exploitation<\/a> on May 17, 2026, with a first wave of attacks originating from IPs hosted on Vultr. On May 18, Rapid7 detected suspicious cookie-based authentication to local admin accounts across multiple customer environments.<\/p>\n

The attacker used the machine name GP-CLIENT<\/code> and a spoofed MAC address (aa:bb:cc:dd:ee:ff<\/code>) to masquerade as a legitimate endpoint.<\/p>\n

A second exploitation wave occurred on May 21, 2026, this time originating from the hosting provider Dromatics Systems, using machine name DESKTOP-GP01<\/code>.<\/p>\n

In this wave, some victims had full VPN IP assignments granted after the cookie authentication, giving attackers direct access to internal networks. Across both waves, the consistent spoofed MAC address suggests a single threat actor behind both campaigns. Notably, 8 out of 10 impacted MDR customers saw only authentication probes, not full VPN session establishment.<\/p>\n

Indicators of Compromise<\/strong><\/h2>\n
\n\n\n\n\n\n\n\n\n\n
Indicator<\/th>\nType<\/th>\n<\/tr>\n<\/thead>\n
104.207.144.154<\/code><\/td>\nThreat actor source IP (Wave 1)<\/td>\n<\/tr>\n
146.19.216.119 \/ .120 \/ .125<\/code><\/td>\nThreat actor source IPs (Wave 2)<\/td>\n<\/tr>\n
aa:bb:cc:dd:ee:ff<\/code><\/td>\nSpoofed MAC address (both waves)<\/td>\n<\/tr>\n
GP-CLIENT<\/code><\/td>\nMachine name, Linux auth, May 17<\/td>\n<\/tr>\n
DESKTOP-GP01<\/code><\/td>\nMachine name, Windows auth, May 21<\/td>\n<\/tr>\n<\/tbody>\n<\/table>
Note:<\/strong>\u00a0IP addresses and domains are intentionally defanged (e.g.,\u00a0<\/em>[.]<\/em><\/code>) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM<\/em>.<\/figcaption><\/figure>\n

Organizations must upgrade to patched versions<\/a> immediately. Key fixed versions include PAN-OS 12.1.4-h6 \/ 12.1.7, PAN-OS 11.2.12, PAN-OS 11.1.15, and PAN-OS 10.2.18-h6, among others. Prisma Access 11.2.0 requires 11.2.7-h13 or later, and Prisma Access 10.2.0 requires 10.2.10-h36 or later.<\/p>\n

Mitigations<\/strong><\/h2>\n

Organizations should take the following actions immediately:<\/p>\n