GlobalProtect serves as the critical gateway between remote workers and enterprise networks, enabling employees to securely access corporate resources from anywhere. This VPN solution from Palo Alto Networks has become essential infrastructure for organizations supporting hybrid work models, with thousands of enterprises relying on it to protect sensitive data flows between remote endpoints and internal systems. (Source: Rapid7)

The authentication bypass vulnerability in CVE-2026-0257 fundamentally breaks this security model. Attackers can forge authentication cookies that GlobalProtect accepts as legitimate, granting them VPN access without any credentials. This means threat actors can establish the same network connections your remote employees use - but without passwords, multi-factor authentication, or any identity verification.

Once attackers gain VPN access through this vulnerability, they inherit the same network privileges as legitimate remote users. In most enterprise configurations, this includes access to file shares, internal web applications, databases, and communication systems. The compromised VPN connection becomes their beachhead for deeper network penetration.

The business implications extend far beyond initial access. Attackers with VPN connectivity can conduct reconnaissance to map your internal network architecture, identifying high-value targets like domain controllers, backup systems, and data repositories. They can harvest credentials from memory, intercept sensitive communications, and exfiltrate intellectual property through the same encrypted channels designed to protect legitimate traffic.

Financial services organizations face particular exposure given their reliance on secure remote access for traders, analysts, and support staff accessing market data and transaction systems. Healthcare networks supporting telemedicine and remote clinical access risk HIPAA violations if patient data becomes accessible through compromised VPN connections. Manufacturing companies with GlobalProtect deployments connecting to operational technology networks could see attackers pivot from IT to OT environments.

The timeline adds urgency to this threat. Palo Alto Networks disclosed CVE-2026-0257 on May 13, 2026, but Rapid7 MDR detected active exploitation beginning May 17 - just four days later. This compressed window between disclosure and exploitation demonstrates that threat actors had either discovered the vulnerability independently or rapidly developed working exploits. The second wave of attacks on May 21 showed evolution in attacker tactics, with some achieving full VPN IP assignment and internal network access.

What makes this vulnerability particularly dangerous is its exploitation simplicity combined with the specific configuration requirements. Organizations that enabled the authentication override feature for user convenience and reused certificates across services unknowingly created the perfect conditions for compromise. The vulnerability affects multiple versions of PAN-OS and Prisma Access, meaning both on-premises and cloud-delivered GlobalProtect deployments face risk.

The observed attack patterns suggest organized threat actors rather than opportunistic scanning. The consistent use of spoofed MAC addresses, coordinated timing across multiple targets, and infrastructure from specific hosting providers indicates deliberate campaigns. While Rapid7 didn't observe lateral movement in the documented cases, the established VPN access provides all necessary capabilities for data theft, ransomware deployment, or establishing persistent backdoors for future operations.

How the Vulnerability Works: The Authentication Bypass Mechanism

The vulnerability exploits a fundamental design flaw in how GlobalProtect handles authentication override cookies - a convenience feature that becomes a catastrophic security hole when misconfigured. When you enable authentication override in GlobalProtect, the system allows previously authenticated users to bypass credential checks using encrypted cookies, similar to how your web browser remembers login sessions.

The critical flaw lies in the /usr/local/bin/gpsvc binary's cookie validation process. When GlobalProtect receives an authentication cookie through HTTP form values portal-userauthcookie or portal-prelogonuserauthcookie during a POST request to /ssl-vpn/login.esp, it decrypts the cookie using RSA private keys - but never verifies the signature or authenticity of the decrypted content.

This missing verification step creates the attack opportunity. The main_DecryptAppAuthCookie function simply base64 decodes the incoming cookie and decrypts it with the configured private key, then immediately trusts whatever data emerges: username, domain, host ID, client OS, remote address, and timestamp. There's no cryptographic signature check, no certificate validation, no integrity verification - the system blindly accepts any properly encrypted data as legitimate.

Here's where the configuration mistake becomes weaponized. GlobalProtect requires a certificate to encrypt and decrypt these authentication cookies. If administrators reuse the same certificate for both the cookie encryption feature and the HTTPS service (the web interface), attackers can retrieve the public key simply by connecting to the GlobalProtect portal or gateway on port 443. With that public key, they can forge any authentication cookie they want - setting themselves as admin users, spoofing legitimate machine names, even manipulating timestamps to extend cookie lifetimes.

The attack chain is devastatingly simple. First, attackers scan for GlobalProtect instances and retrieve the SSL certificate chain. They test each certificate in the chain by forging cookies with different public keys until one succeeds. The proof-of-concept script developed by Rapid7 Labs demonstrates this process, iterating through certificates and reporting which one enables successful authentication bypass. In their testing environment running PAN-OS 10.2.8, the second certificate in the chain (CN=GP-Lab-CA) proved to be the vulnerable key.

The vulnerability affects extensive version ranges across both PAN-OS and Prisma Access platforms. PAN-OS versions 10.2 through 12.1 contain vulnerable builds, with patches available in specific hotfix releases. Prisma Access versions 10.2.0 and 11.2.0 are similarly affected. However, the vulnerability only manifests when two specific conditions align: authentication override must be enabled (it's disabled by default), and the certificate used for cookie encryption must be shared with another service that exposes it publicly.

This combination of factors explains why Rapid7 observed successful cookie forging across multiple customers but only saw VPN session establishment in 2 out of 10 cases. The authentication bypass succeeds when the configuration flaw exists, but additional factors like network segmentation, VPN pool configuration, or secondary authentication mechanisms may prevent full network access even with a valid forged cookie.

Detection and Immediate Response: Actions for the Next 24-48 Hours

Your security team has hours, not days, to act. Rapid7 MDR's detection of active exploitation means attackers are already inside networks using forged authentication cookies - and they're moving fast.

Immediate Actions (Next 4 Hours)

First, verify your exposure status. Check if authentication override is enabled by accessing your GlobalProtect configuration at Device > GlobalProtect Portals > [Portal Name] > Authentication and Device > GlobalProtect Gateways > [Gateway Name] > Authentication. If you see "Generate cookie for authentication override" checked, you're potentially vulnerable.

Enable verbose logging immediately on all GlobalProtect gateways through Device > Setup > Management > Logging and Reporting Settings. Set GlobalProtect logs to debug level to capture authentication attempts that standard logging misses.

Search your GlobalProtect logs for these specific exploitation indicators:

• Authentication method showing as "Cookie" instead of standard SAML, LDAP, or RADIUS
• MAC address aa:bb:cc:dd:ee:ff appearing in authentication logs
• Machine names "GP-CLIENT" (Linux) or "DESKTOP-GP01" (Windows) in gateway-auth events
• Source IPs from Vultr (104.207.144.0/24) or Dromatics Systems (146.19.216.0/24) ranges
• Authentication latency values under 100ms for cookie-based logins (legitimate cookies typically show 200-500ms)

Run this PAN-OS CLI command to quickly identify cookie authentications: show log system subtype equal globalprotect direction equal backward | match "Cookie"

Critical 24-Hour Mitigations

If you cannot patch immediately, implement certificate isolation as your primary defense. Generate a new certificate exclusively for authentication override through Device > Certificate Management > Certificates > Generate. This breaks the attack chain even if authentication override remains enabled.

Deploy these emergency firewall rules at your perimeter:

• Block inbound GlobalProtect traffic from hosting provider ASNs: AS20473 (Vultr), AS400304 (Dromatics Systems)
• Restrict GlobalProtect portal access to known corporate IP ranges using security policy pre-rules
• Enable geo-blocking for countries where you have no legitimate users - attackers often route through unexpected regions

Configure real-time alerting for anomalous authentication patterns. Set up custom log forwarding profiles that trigger on cookie authentication to non-service accounts, multiple failed attempts followed by successful cookie auth, or any authentication from the identified malicious IPs.

48-Hour Containment Strategy

If you detect compromise indicators, immediately revoke all active GlobalProtect sessions through Network > GlobalProtect > Gateway > Client Configuration. Force all users to re-authenticate with primary credentials, not cookies.

Implement compensating controls while planning your patch window. Enable Cloud Authentication Service (CAS) if available - Rapid7's analysis shows CAS-enabled configurations weren't successfully exploited. Configure step-up authentication requiring additional verification for high-privilege accounts accessing sensitive network segments.

Deploy enhanced monitoring at VPN termination points. Watch for lateral movement attempts from GlobalProtect IP pools, unusual SMB/RDP connections originating from VPN subnets, and data staging in locations accessible to VPN users. The two-customer subset where attackers obtained full VPN sessions represents your highest risk scenario - these environments need immediate network segmentation between VPN and critical assets.

Patch and Remediation Strategy: Long-Term Hardening

Palo Alto Networks has released patches across multiple PAN-OS versions, but your patching strategy needs careful orchestration to avoid service disruptions while closing the vulnerability window. The vendor's staggered release schedule means some versions received fixes earlier than others - understanding this timeline helps you prioritize which systems need immediate attention versus those that can wait for scheduled maintenance windows.

Start with PAN-OS 10.2 systems, as these represent the oldest vulnerable branch with patches available since version 10.2.7-h34. Organizations running versions below 10.2.7-h34 face the longest exposure window and should upgrade immediately to 10.2.18-h6 or later. These legacy systems often protect critical infrastructure that hasn't been migrated to newer platforms, making them prime targets for attackers who know organizations delay patching older equipment.

For environments running PAN-OS 11.1, the patching matrix becomes more complex with multiple maintenance releases addressing the vulnerability. Systems below 11.1.4-h33 need immediate patching, while those running intermediate versions like 11.1.6-h31 or 11.1.10-h24 remain vulnerable despite being newer releases. This fragmented patch availability means you can't assume newer maintenance releases are automatically protected - verify each system against the specific version thresholds: 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, or 11.1.15 and above.

Organizations with multiple GlobalProtect gateways should implement a phased rollout starting with non-production environments. Deploy patches to your test gateway first, monitoring for 24-48 hours to identify any authentication issues or VPN connectivity problems. Common post-patch issues include certificate validation errors when clients attempt to reconnect, requiring users to clear cached credentials and re-authenticate. Document these issues during test deployment to prepare your helpdesk for production rollout.

Production patching requires a wave approach based on user criticality and geographic distribution. Begin with gateways serving administrative or low-impact users, allowing you to identify problems before affecting revenue-generating operations. Schedule maintenance windows during off-peak hours for each geographic region, ensuring 24/7 operations maintain VPN access through alternate gateways. Configure your GlobalProtect clients to automatically fail over to backup gateways during maintenance, preventing complete access loss if patching encounters complications.

When immediate patching proves impossible due to change control processes or compatibility testing requirements, implement compensating controls to reduce exploitation risk. Generate new certificates exclusively for authentication override functionality, ensuring they differ from certificates used for HTTPS services. This breaks the attack chain by preventing attackers from discovering the public key needed to forge cookies. Deploy this certificate change during your next maintenance window as a temporary mitigation while awaiting full patching approval.

Network segmentation provides additional protection by limiting attacker movement if VPN authentication gets bypassed. Configure access control lists (ACLs) on GlobalProtect gateways to restrict VPN users to specific network segments based on user groups. Implement jump box requirements for administrative access, forcing even VPN-connected users through additional authentication before reaching sensitive systems. These architectural changes reduce the blast radius of successful exploitation while you complete patching.

Post-remediation validation requires both technical verification and security assessment. Run the forge_cookie.py proof-of-concept script against patched systems to confirm the vulnerability no longer exists. Review GlobalProtect logs for the past 30 days, searching for cookie authentication attempts from IP addresses associated with Vultr or Dromatics Systems hosting providers. Schedule penetration testing specifically targeting GlobalProtect authentication mechanisms, ensuring your patches effectively prevent cookie forgery attacks. These validation steps provide confidence that your remediation efforts successfully eliminated the vulnerability across your entire GlobalProtect infrastructure.

Threat Actor Profile and Exploitation Patterns

The threat actor behind the CVE-2026-0257 exploitation campaign demonstrates sophisticated operational security while maintaining a relatively simple attack pattern. Rapid7's analysis reveals a calculated approach that prioritizes stealth over speed, with attackers carefully testing authentication bypass capabilities before attempting full VPN connections.

The campaign originated from low-cost hosting providers - first Vultr, then Dromatics Systems - infrastructure choices that suggest either budget-conscious operations or deliberate obfuscation through commonly-abused services. These providers frequently appear in threat intelligence feeds as sources of sustained attack campaigns, making attribution challenging while providing plausible deniability.

What makes this actor particularly interesting is their restraint. Despite successfully forging authentication cookies across ten MDR customer environments, they only established VPN sessions in two cases. This selective engagement pattern suggests reconnaissance rather than immediate exploitation - the attackers appear to be cataloging vulnerable systems for future operations rather than rushing to compromise everything they find.

The consistent use of spoofed MAC address aa:bb:cc:dd:ee:ff across both exploitation waves provides the strongest attribution link. This static identifier, combined with generic machine names like GP-CLIENT for Linux systems and DESKTOP-GP01 for Windows authentications, reveals an attacker using automated tooling with minimal customization. They're running a standardized playbook rather than tailoring attacks to specific targets.

Exploitation velocity accelerated between the two observed waves. The initial May 17-18 campaign targeted the admin account exclusively, suggesting manual operation or cautious testing. By May 21, the actor had refined their approach, achieving faster authentication (78ms vs 1019ms latency) and successfully obtaining VPN IP assignments. This progression indicates active tool development and operational learning between campaigns.

The geographic and industry distribution of targeted organizations shows no clear pattern - Rapid7 observed exploitation across multiple verticals and regions. This spray-and-pray approach differs markedly from targeted ransomware operations or nation-state campaigns. You're equally likely to be targeted whether you're a financial services firm in New York or a manufacturing company in Ohio. The actor appears to be building an inventory of accessible networks rather than pursuing specific intelligence objectives.

Network behavior post-authentication reveals professional discipline. In the two environments where VPN sessions were established, the actor made no attempts at lateral movement, data exfiltration, or persistence establishment. This absence of follow-on activity could indicate several scenarios: the actor is selling access to other groups, conducting long-term reconnaissance for future campaigns, or testing exploitation capabilities before a larger operation.

The infrastructure fingerprints tell their own story. IP addresses 104.207.144.154, 146.19.216.119, 146.19.216.120, and 146.19.216.125 all trace back to virtual private servers, purchased with minimal verification and easily abandoned. This disposable infrastructure model matches patterns seen in access broker operations - threat actors who specialize in gaining initial access and selling it to ransomware operators or other criminal groups.

Current exploitation appears opportunistic rather than targeted, but this could change rapidly. The availability of Rapid7's proof-of-concept script means technical barriers to entry have collapsed. Any actor with basic Python knowledge can now identify and exploit vulnerable GlobalProtect instances, transforming what started as a sophisticated campaign into a potential free-for-all.

Compliance and Incident Reporting Considerations

The unauthorized VPN access enabled by CVE-2026-0257 creates immediate regulatory reporting obligations that extend far beyond technical remediation. When attackers establish legitimate-looking VPN connections through forged authentication cookies, they gain the same network access as your remote employees - triggering breach notification requirements across multiple regulatory frameworks.

Under GDPR Article 33, organizations must notify supervisory authorities within 72 hours of becoming aware that GlobalProtect authentication bypass resulted in potential access to EU personal data. The clock starts when your security team confirms suspicious cookie authentication in logs, not when you complete the investigation. Document the exact timestamp from logs showing entries like "Cookie,,admin" with spoofed MAC addresses aa:bb:cc:dd:ee:ff, as regulators will scrutinize your response timeline.

HIPAA breach notification requirements activate if attackers could have accessed electronic protected health information through the compromised VPN tunnel. The two customer environments where Rapid7 observed established VPN sessions represent potential HIPAA breaches requiring individual notification within 60 days and HHS reporting within 60 days for breaches affecting 500+ individuals. Even without evidence of data exfiltration, the mere possibility of ePHI access through an unauthorized VPN connection constitutes a breach under HIPAA's "acquisition, access, use, or disclosure" standard.

For PCI-DSS compliance, any GlobalProtect gateway with access to cardholder data environments triggers immediate incident response procedures under Requirement 12.10. Organizations must notify their acquiring bank and card brands within 24 hours if the compromised VPN could reach payment card systems. The authentication logs showing connections from hosting providers Vultr and Dromatics Systems provide critical evidence for PCI forensic investigators determining scope.

SEC disclosure obligations under the new cybersecurity rules require public companies to assess materiality within four business days. VPN compromise affecting critical infrastructure, customer data access, or business operations likely meets the materiality threshold. Form 8-K Item 1.05 filing deadlines mean you have approximately 96 hours from discovery to determine if GlobalProtect exploitation creates material business impact.

Evidence preservation becomes critical for both regulatory compliance and potential litigation. Create forensic images of affected GlobalProtect appliances before applying patches, as remediation destroys attack artifacts. Export all logs from May 17-21, 2026, focusing on entries containing machine names GP-CLIENT and DESKTOP-GP01. Preserve tech support files showing CAS status and authentication override configuration - these prove your vulnerability state at exploitation time.

Your incident notification template should include: "On [date], we detected unauthorized authentication to our GlobalProtect VPN infrastructure using CVE-2026-0257. Initial analysis indicates connections originated from IP addresses 104.207.144.154 and 146.19.216.[119/120/125] between May 17-21, 2026. We are investigating whether unauthorized access to [specify systems accessible via VPN] occurred. Affected individuals will receive direct notification per regulatory requirements."

State breach notification laws add another layer with varying timelines - California requires "without unreasonable delay," while Florida mandates 30 days. The authentication bypass nature means you cannot claim encryption safe harbor provisions, as attackers obtained valid VPN access bypassing all security controls. Document which internal systems and databases were accessible from VPN IP ranges during the compromise window for accurate breach scope determination.