Campaigns
CVE 2026 0257 PAN-OS GlobalProtect Authentication Bypass Active Exploitation

CVE 2026 0257 PAN-OS GlobalProtect Authentication Bypass Active Exploitation

CVE-2026-0257Palo Alto NetworksAuthentication BypassGlobalProtectVPN SecurityPAN-OSCookie ForgeryCISA KEVEnterprise VPN
CVE-2026-0257 is an authentication bypass vulnerability in Palo Alto Networks PAN-OS GlobalProtect portal and gateway. When authentication override cookies share the same certificate as the HTTPS service, a remote unauthenticated attacker can retrieve the public key via TLS, forge a valid authentication cookie, and establish an unauthorized VPN connection. The flaw is rated CVSS 7.8 (HIGH) and classified as CWE-565; it affects PAN-OS 10.2 through 12.1 and Prisma Access when the authentication override feature is enabled.

Indicators of Compromise

No domains found for this campaign

Campaign Guidance

Remediation, mitigation, notes, history and related intelligence

REMEDIATION / DETECTIONS


CVE-2025-0133 / GlobalProtect Auth Cookie Abuse — MITRE ATT&CK Detection Table

Technique
Tactic
Detection Strategy ID
Detection Strategy Name
Analytic ID
Analytic Description
Credential Access (TA0006)
AN (File Access)
Monitor anomalous process access to browser cookie storage (e.g., Chrome SQLite DB); detect memory dump utilities targeting browser processes such as chrome.exe or msedge.exe
Credential Access (TA0006)
AN (Memory / Process)
Detect injection or dump attempts into browser processes; monitor ptrace / /proc/[pid]/mem reads targeting cookie memory regions
Credential Access (TA0006)
AN (Network / User-Agent)
Detect use of session cookies or authentication tokens presented from unusual user agents or unexpected geographic locations
Defense Evasion (TA0005) / Lateral Movement (TA0008)
Anomalous access to cloud web applications using session tokens without corresponding MFA or credential validation, often from unexpected locations or device fingerprints
Defense Evasion (TA0005) / Lateral Movement (TA0008)
Session cookie reuse on unmanaged browsers, devices, or client types deviating from user baseline (e.g., switching from Chrome to curl)
Defense Evasion (TA0005) / Lateral Movement (TA0008)
Web session tokens reused in native Office apps (e.g., Outlook, Teams) without associated token refresh or login behavior on the endpoint

Observed Countries1

US (319)