
CVE 2026 0257 PAN-OS GlobalProtect Authentication Bypass Active Exploitation
CVE-2026-0257Palo Alto NetworksAuthentication BypassGlobalProtectVPN SecurityPAN-OSCookie ForgeryCISA KEVEnterprise VPN
CVE-2026-0257 is an authentication bypass vulnerability in Palo Alto Networks PAN-OS GlobalProtect portal and gateway. When authentication override cookies share the same certificate as the HTTPS service, a remote unauthenticated attacker can retrieve the public key via TLS, forge a valid authentication cookie, and establish an unauthorized VPN connection. The flaw is rated CVSS 7.8 (HIGH) and classified as CWE-565; it affects PAN-OS 10.2 through 12.1 and Prisma Access when the authentication override feature is enabled.
Indicators of Compromise
No domains found for this campaign
Campaign Guidance
Remediation, mitigation, notes, history and related intelligence
REMEDIATION / DETECTIONS
CVE-2025-0133 / GlobalProtect Auth Cookie Abuse — MITRE ATT&CK Detection Table
Technique | Tactic | Detection Strategy ID | Detection Strategy Name | Analytic ID | Analytic Description |
Credential Access (TA0006) | AN (File Access) | Monitor anomalous process access to browser cookie storage (e.g., Chrome SQLite DB); detect memory dump utilities targeting browser processes such as chrome.exe or msedge.exe | |||
Credential Access (TA0006) | AN (Memory / Process) | Detect injection or dump attempts into browser processes; monitor ptrace / /proc/[pid]/mem reads targeting cookie memory regions | |||
Credential Access (TA0006) | AN (Network / User-Agent) | Detect use of session cookies or authentication tokens presented from unusual user agents or unexpected geographic locations | |||
Defense Evasion (TA0005) / Lateral Movement (TA0008) | Anomalous access to cloud web applications using session tokens without corresponding MFA or credential validation, often from unexpected locations or device fingerprints | ||||
Defense Evasion (TA0005) / Lateral Movement (TA0008) | Session cookie reuse on unmanaged browsers, devices, or client types deviating from user baseline (e.g., switching from Chrome to curl) | ||||
Defense Evasion (TA0005) / Lateral Movement (TA0008) | Web session tokens reused in native Office apps (e.g., Outlook, Teams) without associated token refresh or login behavior on the endpoint |
Observed Countries1
US (319)