Summary

A critical authentication bypass vulnerability, CVE-2026-0257, has been identified in Palo Alto Networks PAN-OS, specifically affecting the GlobalProtect portal and gateway. This vulnerability allows remote unauthenticated attackers to forge authentication override cookies, enabling unauthorized VPN connections. The flaw is actively exploited in the wild, with a proof of concept available, and has been added to the CISA Known Exploited Vulnerabilities catalog.

Affected Systems and/or Applications

• Palo Alto Networks PAN-OS: Versions affected include PAN-OS 12.1, 11.2, 11.1, and 10.2, with specific sub-versions detailed in the vendor advisory.
• Prisma Access: Versions 10.2 and 11.2 are also affected.
• Systems with the "Authentication Override" feature enabled in the GlobalProtect portal or gateway are vulnerable.

Technical Details

The vulnerability arises from the misuse of authentication override cookies, which are used to bypass re-authentication processes. If the certificate used for these cookies is shared with other services, such as the HTTPS service of the portal or gateway, an attacker can extract the public key and forge valid cookies. This allows them to establish unauthorized VPN connections, potentially accessing internal network resources. The vulnerability is exacerbated by the lack of signature verification post-decryption of the cookies.

Vulnerability Mechanism

1. Certificate Misconfiguration: The vulnerability is triggered when the same certificate is used for both the GlobalProtect portal/gateway's HTTPS service and the authentication override cookie encryption. This allows an attacker to retrieve the public key from the TLS handshake.
2. Cookie Forgery: Using the public key, an attacker can forge a valid authentication override cookie. The process involves:
   • Base64 Decoding: The incoming encrypted cookie is base64 decoded.
   • Decryption: The decoded cookie is decrypted using the private key associated with the certificate.
   • Implicit Trust: The decrypted content is trusted without any signature verification, allowing attackers to inject arbitrary values.
3. Exploitation: The attacker can then use the forged cookie to authenticate and establish a VPN session, bypassing normal credential checks.

Mitigation

• Patch: Upgrade to the latest PAN-OS versions as specified in the vendor advisory to mitigate the vulnerability.
• Temporary Mitigations:
  • Disable the "Authentication Override" feature in the GlobalProtect portal and gateway settings.
  • Generate and use (if possible) a unique certificate exclusively for the authentication override feature, ensuring it is not shared with other services.

References

• Vendor Advisory: Palo Alto Networks CVE-2026-0257
• Technical Analysis: Rapid7 Blog on CVE-2026-0257
• Proof of Concept: GitHub Repository