Rapid7 reported active exploitation of CVE-2026-0257 in Palo Alto Networks PAN-OS and Prisma Access, where attackers used forged GlobalProtect authentication override cookies to bypass login on vulnerable appliances. The activity appeared in two waves from hosting providers including Vultr and Dromatics Systems, and Rapid7 urged urgent patching or disabling the authentication override feature. #CVE-2026-0257 #PaloAltoNetworks #GlobalProtect #Vultr #DromaticsSystems #CISAKEV
Keypoints
- CVE-2026-0257 is a medium-severity authentication bypass affecting PAN-OS and Prisma Access under a specific configuration.
- Successful exploitation lets a remote unauthenticated attacker establish a VPN connection through a GlobalProtect gateway.
- Rapid7 MDR observed exploitation across multiple customers, with the earliest known activity on May 17, 2026.
- The attack relied on forged authentication override cookies and was linked to reused certificates in the vulnerable configuration.
- Rapid7 observed two waves of exploitation, with source infrastructure associated with Vultr and later Dromatics Systems.
- No evidence of successful lateral movement was observed from the affected devices.
- Mitigation includes urgent vendor patching, disabling authentication override, or using a dedicated certificate for that feature.
MITRE Techniques
- [T1134 ] Access Token Manipulation – The attackers forged and reused authentication override cookies as a bearer-like credential to bypass normal login (‘use an authentication override cookie in future communications … in lieu of re-authenticating via credentials’).
- [T1606 ] Forge Web Credentials – The attackers generated arbitrary authentication override cookies using the public key from the TLS certificate (‘anyone who knows the public key … can successfully forge and encrypt an arbitrary authentication override cookie’).
- [T1078 ] Valid Accounts – The appliance accepted the forged cookie as if it were a legitimate authentication session, enabling access with an apparently valid admin login (‘the appliance accepted the cookie without a full VPN session being established’).
- [T1189 ] Drive-by Compromise – Not directly mentioned as browser-based, but the attack abused an exposed edge service over the network to gain access (‘remote unauthenticated attacker can discover the public key’).
Indicators of Compromise
- [IP addresses ] Source infrastructure seen in successful exploitation – 104.207.144.154, 146.19.216.125, and 2 more IPs
- [MAC address ] Spoofed identifier observed in both exploitation waves – aa:bb:cc:dd:ee:ff
- [Hostnames ] Device names seen in GlobalProtect authentication logs – DESKTOP-GP01, GP-CLIENT
- [Product versions ] Vulnerable and affected software versions – PAN-OS 10.2.8, PAN-OS 12.1.4-h6 and other listed versions
- [Tools / script name ] Public proof-of-concept used to test vulnerability – forge_cookie.py
- [Cloud / hosting providers ] Infrastructure associated with attacker activity – Vultr, Dromatics Systems