Forged VPN Cookies, Real Network Access: PAN-OS CVE-2026-0257 Hits Its CISA KEV Deadline

A working VPN tunnel into the corporate network used to require a stolen credential or a phishing campaign that landed on a user with the right groups, yet CVE-2026-0257 has reduced that effort to forging an authentication override cookie against an internet-facing GlobalProtect portal. Palo Alto Networks describes the issue as an authentication bypass in the GlobalProtect portal and gateway of PAN-OS that lets a remote unauthenticated attacker establish a VPN connection whenever the appliance has the authentication override feature enabled and shares its associated certificate with another PAN-OS service such as the HTTPS portal, with a CVSS base score of 7.8 reflecting the combination of low attack complexity and the depth of the access the flaw grants. Rapid7 first observed exploitation in the wild on May 17, 2026 from Vultr-hosted infrastructure, followed by a second wave on May 21 from Dromatics Systems address space in which several victims received full VPN IP assignments as if the attackers were legitimate users. CISA pulled the deadline forward by adding CVE-2026-0257 to the Known Exploited Vulnerabilities catalog on May 29, 2026 with a mandatory federal remediation date of June 1, which is the day this post is being published.

The trigger condition is what makes the bug both narrower than a typical pre-authentication remote code execution and more dangerous in practice once the conditions line up. Palo Alto's advisory makes clear that the authentication override feature only behaves dangerously when the certificate that signs override cookies is the same certificate that secures another PAN-OS service on the box, because the cryptographic separation that was supposed to keep an attacker from minting valid cookies collapses the moment that certificate is reused. The affected builds span PAN-OS 10.2.0 through 10.2.9, 11.0.0 through 11.0.4, and 11.1.0 through 11.1.2, with fixes shipped in 10.2.10, 11.0.5, and 11.1.3 and an additional set of hotfix builds covering 10.2.18-h6, 11.1.15, 11.2.12, 12.1.4-h6, and 12.1.7. Reporting from Bleeping Computer on the second exploitation wave notes that several organizations only realized they had been breached after auditing GlobalProtect session logs in the days following the KEV listing.

The detection and response gap

Catching this from the security operations side is harder than the technical description makes it sound, because the appliance itself records a perfectly successful VPN login the instant the forged cookie is accepted and then proceeds to treat the attacker as a legitimate user for everything that follows. There is no failed-authentication burst to alert on, no brute-force pattern to baseline against, and no malware on a managed endpoint for EDR to flag, since the entire intrusion takes place at the network edge between the attacker and a misconfigured certificate trust relationship that the appliance has no way to question on its own. The second exploitation wave that Rapid7 documented produced VPN tunnels with internal IP addresses, which means downstream controls had to treat the resulting traffic as ordinary employee VPN traffic unless someone had specifically built detections that compare assigned client IPs and session metadata against the user's expected geography and device fingerprint. Treat that absence of a loud signal as the lesson of this campaign, because the next CVE in this class will behave the same way and the team that already correlates VPN session metadata against endpoint telemetry will catch it on day one.

Mapping the behavior to MITRE ATT&CK

Translating a vague sense of dread into detection coverage starts with naming the techniques the attacker actually used:

• T1190 Exploit Public-Facing Application: forging authentication override cookies against the internet-facing GlobalProtect portal to bypass the intended login flow entirely.
• T1133 External Remote Services: a legitimate VPN concentrator used as the attacker's foothold into the internal network rather than malware running on an endpoint.
• T1556 Modify Authentication Process: abusing the override feature so that the appliance issues a session without ever challenging the underlying identity.
• T1078 Valid Accounts: the assigned VPN session looks and logs like a real user from the moment it lands, so every downstream system trusts it as such.
• T1071.001 Web Protocols and T1090 Proxy: the resulting HTTPS-based VPN tunnel that the attacker then uses as a command channel and a pivot into internal services.

Operationalizing a response today

If your organization runs any internet-facing GlobalProtect portal or gateway, the only safe assumption on the KEV deadline itself is that the appliance has been probed and that you need to prove a clean state rather than guess at one. A practical sequence keeps the cleanup from sprawling:

1. Inventory every PAN-OS device running GlobalProtect and confirm its build is not in the affected ranges of 10.2.0 through 10.2.9, 11.0.0 through 11.0.4, or 11.1.0 through 11.1.2, with patching to 10.2.10, 11.0.5, 11.1.3, or one of the hotfix builds listed in the Palo Alto advisory as the upgrade target.
2. If patching has to wait for a maintenance window, disable authentication override cookies on every exposed gateway, or rotate the GlobalProtect certificate so it is no longer shared with the HTTPS portal or any other PAN-OS service, and reissue any cookies that depend on it.
3. Audit GlobalProtect authentication logs back to May 17, 2026 for sessions whose source addresses do not match the user's usual geography, paying particular attention to the Vultr and Dromatics Systems ranges Rapid7 flagged in both waves of exploitation.
4. Cross-reference every anomalous VPN IP assignment against subsequent internal activity from that address, because the attacker's whole purpose in establishing the tunnel is what they do after they are inside, and the lateral movement is the part you can still catch on endpoint, SIEM, and identity telemetry.
5. Capture session metadata and packet captures while the evidence is still on the box, because forensic data on a VPN concentrator tends to roll over faster than most teams expect and this incident class is going to need exactly that material to close out cleanly.

How BlueTeamAutomation closes the loop

Doing all of that by hand across every PAN-OS appliance, every VPN session, and every downstream control on the day of a CISA KEV deadline is the manual scramble that turns one bad advisory into a week of work. BlueTeamAutomation runs the full blue-team workflow against perimeter authentication abuse like CVE-2026-0257 on infrastructure you control, so the detections already exist before the next portal vulnerability lands:

• BAS validation. BASzy emulates the forged-cookie path end to end against your own GlobalProtect deployment in a controlled run, so you find out whether your authentication and session monitoring rules fire while it is still a drill instead of a real intrusion.
• EDR. On-device detection catches the lateral movement that follows a successful VPN tunnel, which is the signal that fires inside the network even when the perimeter has already accepted the attacker as a legitimate user.
• SIEM correlation. GlobalProtect session logs, identity telemetry, and internal traffic flows collapse into one timeline, so an unfamiliar source IP plus an unexpected VPN IP assignment plus an anomalous internal reach becomes a single correlated alert rather than three unrelated ones nobody pieces together.
• SOAR response. Automated playbooks revoke the offending session, force a certificate rotation on the affected appliance, and quarantine downstream activity tied to the assigned VPN IP within the minutes that decide how much network the attacker actually reaches.
• Compliance evidence. Every validation run, detection, and response action is captured as audit-ready evidence for SOC 2, ISO 27001, and the KEV remediation timelines federal and regulated customers expect you to meet.

The uncomfortable lesson from CVE-2026-0257 is that the boundary device you trust to keep attackers out has the same failure modes as the application servers behind it, and that a single shared certificate is enough to turn the VPN concentrator into the attacker's entry point rather than your perimeter. Continuous validation, local detection, and automated response are the controls that operate on the timescale a same-day KEV deadline actually demands, and they are what separates closing a forged-cookie tunnel on its first connection from explaining to leadership how an unauthenticated request became an internal network address.