Palo Alto CVE-2026-0257: One Reused Certificate Bypasses VPN Auth

Most VPN authentication bypasses involve a memory corruption bug or a forgotten endpoint. CVE-2026-0257 is neither. The bug is that PAN-OS GlobalProtect treats anything that decrypts as authentic, with no signature step in the cookie-issuance pipeline. If a Palo Alto admin used the same certificate for the GlobalProtect portal's HTTPS service and for the authentication override feature—a default-looking deployment choice many shops actually pick—an attacker can pull the public key from the visible certificate and forge a valid admin cookie. No password. No phishing. Just math.

Key Takeaways

• CVE-2026-0257 is an authentication bypass in PAN-OS GlobalProtect tracked as CVSS 7.8 that lets a remote attacker forge a valid authentication-override cookie when the same TLS certificate is used for the HTTPS service and the override feature.
• Palo Alto Networks pushed fixes across PAN-OS 10.2, 11.1, 11.2, 12.1, and Prisma Access. Admins can also mitigate by disabling the authentication override feature or assigning it a dedicated certificate.
• Rapid7 first observed exploitation across "numerous customers" on May 17, 2026 from Vultr-hosted attacker infrastructure. A second, more sophisticated wave originating from Dromatics Systems followed on May 21, with successful VPN session establishment on a subset of targets.
• CISA added CVE-2026-0257 to the Known Exploited Vulnerabilities catalog on May 29, 2026, setting a federal patch deadline of June 19, 2026 under BOD 22-01.
• The root cause is in /usr/local/bin/gpsvc: the binary decrypts the override cookie but performs no signature verification on the decrypted content. Anything that decrypts cleanly is trusted.

What Is CVE-2026-0257?

CVE-2026-0257 is an authentication bypass affecting PAN-OS firewalls with the GlobalProtect portal or gateway configured, the authentication override feature enabled, and a specific certificate-sharing condition. Per Palo Alto Networks' security advisory, the issue is triggered "only when the certificate used to encrypt and decrypt these authentication override cookies is shared with another feature, such as the HTTPS service of the portal or gateway."

In practice, that condition is not exotic. A meaningful percentage of GlobalProtect deployments reuse a single wildcard or SAN-style certificate across multiple PAN-OS services for ease of management. CISA's KEV entry implies a "broad applicability" reading: if you don't know whether your override certificate is shared with HTTPS, the safe assumption is yes.

Why Does Certificate Sharing Break Authentication?

The authentication-override feature lets PAN-OS issue an encrypted cookie that a user's browser presents to re-authenticate without retyping credentials. Under the hood, the cookie is encrypted using the public key of a Palo Alto-configured certificate. When the user presents it, the appliance decrypts it with the matching private key, reads the contents, and treats the decoded session attributes as authentic.

There are two gaps. First, the cookie is encrypted but not signed, which means decryption alone is being used as a proof of authenticity. Second, when the same certificate is used for HTTPS, the public key needed to encrypt a forged cookie is publicly readable—every TLS handshake hands it out, by design. An attacker who can connect to the appliance's HTTPS service can scrape the public key, encrypt their own session payload with it (including admin role attributes), and present the result as a valid override cookie. The appliance decrypts it successfully, reads "admin," and lets the attacker in.

Per Rapid7's analysis, the decryption logic lives in /usr/local/bin/gpsvc: "The decrypted content is then trusted implicitly, with no signature verification of any kind occurring after decryption." That single missing check is the bug.

When Did Exploitation Start?

Rapid7's MDR team documented two clearly distinct waves:

• Wave 1, May 17-18, 2026. Mass scanning and exploitation from infrastructure hosted by Vultr. Attackers used forged cookies to authenticate as admin against numerous customer appliances. Rapid7 observed no lateral movement at this stage—suggesting the wave was either a capability test or a victim-enumeration sweep.
• Wave 2, May 21, 2026. A more disciplined operator working out of Dromatics Systems hosting. This wave established actual GlobalProtect VPN sessions on a subset of targets, putting the attacker inside the customer's network with a routable IP.

CISA added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog on May 29, 2026, with a federal civilian executive branch patch deadline of June 19, 2026 under BOD 22-01.

How Do You Tell If You're Exposed?

Three checks, in order:

1. Are you running an affected PAN-OS version? Anything below the fixed builds in 10.2, 11.1, 11.2, 12.1, or Prisma Access is presumed vulnerable until verified.
2. Is the GlobalProtect authentication override feature enabled? If no, the bug does not apply.
3. Is the certificate assigned to the override feature also the certificate fronting your HTTPS portal or gateway? If yes, you are exploitable now. If no, you are not.

The fastest mitigation if you can't patch this week is to assign a dedicated certificate to the override feature—one that is not used by HTTPS, IPSec, or any other service whose public key is readable from outside. The slower mitigation is to disable authentication override entirely; users will be prompted to reauthenticate more often, but the attack vector goes away.

What Should Defenders Do Once Inside?

The Wave 2 operator established actual VPN sessions, which means hunting on the inside is now in scope. Three things to look at:

• GlobalProtect connection logs for sessions originating from Vultr ASNs (AS20473) or Dromatics Systems infrastructure across the May 17-29 window. Per Rapid7's published IoCs, the source IPs cluster but are not point-singletons.
• Anomalous successful logins for accounts with the override flag set, especially admin-tier accounts logging in from new geographies.
• Lateral movement attempts immediately after a VPN session establishment—SMB scans, RDP attempts against the management VLAN, or Active Directory enumeration. Rapid7 didn't see successful lateral movement in their MDR sample, but absence of observation is not absence of activity.

A compromised GlobalProtect session is the kind of access spear phishing campaigns will pair with. Once inside a corporate VPN, an attacker can post-process the corporate address book, run targeted phishing against Exchange or Microsoft 365 from a privileged network position, and reuse stolen cookies against SaaS tenants. Email-side tracking pixels become an enumeration tool the moment an attacker has the address book; Gblock strips those pixels in Gmail so any subsequent phishing wave loses the open-rate signal that tells the operator which lures land.

What Does This Have in Common With Recent VPN Exploits?

The pattern repeats. Edge VPN appliances—Cisco, Fortinet, SonicWall, Ivanti, and now Palo Alto—have become the highest-value pre-auth attack surface in the enterprise. The SonicWall CVE-2024-12802 incomplete-patch issue let attackers bypass MFA with 13 brute-force attempts in under 30 minutes. The Cisco SD-WAN CVE-2026-20182 auth bypass exploited by UAT-8616 hit federal agencies in May. CVE-2026-0257 is the third high-impact VPN authentication bypass in a 30-day window.

The common thread is not Palo Alto. It is the trust placed in a single device that sits in front of every internal service. When the cookie-issuance code on that device skips a signature check, the entire enterprise is one curl request away from a logged-in attacker.

What Happens Next?

Two near-term outcomes. Patch coverage will climb through June 19, the federal KEV deadline; private-sector compliance with KEV deadlines typically lags by 30 to 60 days. Expect a second exploitation curve as attackers pivot from the small initial-access wave to volume targeting of unpatched private-sector instances.

Longer-term, the missing signature check in gpsvc is going to draw scrutiny. Implicit trust in decrypted-only payloads is a known anti-pattern, and security teams reviewing other PAN-OS subsystems are going to ask whether the same shortcut exists elsewhere. The answer is rarely just one place.