PAN-OS GlobalProtect CVE-2026-0257 exploitation

Summary

CVE-2026-0257 is an authentication-bypass vulnerability in the GlobalProtect portal and gateway components of Palo Alto Networks PAN-OS. Palo Alto Networks says it has observed exploit attempts against unpatched devices without mitigations, CISA added the flaw to the Known Exploited Vulnerabilities catalog on 2026-05-29, Unit 42 published a 2026-06-09 threat brief confirming active exploitation by an unidentified actor attempting to access GlobalProtect, and Arctic Wolf later reported intrusions where unauthorized VPN tunnel establishment was followed by Impacket-like SMB / NTLM reconnaissance.

The durable threat-intelligence value is remote-access boundary risk: exposed VPN infrastructure can become an unauthorized network entry path when authentication-override cookies are enabled with the vulnerable certificate configuration.

Why this matters

GlobalProtect portals and gateways are internet-facing remote-access infrastructure for many enterprises.
The vulnerable path is pre-authentication, network-reachable, low-complexity, and does not require user interaction.
Successful exploitation can establish an unauthorized VPN connection, shifting the problem from perimeter exposure to internal-network access and identity/session review.
CISA's 2026-05-29 KEV entry sets a 2026-06-01 remediation due date for covered federal agencies, indicating operational urgency even though public reporting reviewed here does not yet name a specific actor or malware payload.
Arctic Wolf's follow-up moved this from an edge-only concern to a confirmed intrusion workflow in some environments: cookie-based GlobalProtect authentication, IPsec tunnel setup, then rapid internal SMB / NTLM discovery from VPN-assigned addresses.

Operational characteristics

Affected component: PAN-OS GlobalProtect portal and gateway; Panorama and Cloud NGFW are not impacted according to Palo Alto Networks.
Required exposure condition: GlobalProtect portal or gateway configured with authentication-override cookies enabled, plus the vulnerable certificate configuration described by the vendor.
Exploit primitive: bypass security restrictions and establish an unauthorized VPN connection.
Observed exploitation: Palo Alto Networks updated the advisory on 2026-05-29 and says it is aware of limited exploit attempts on unpatched PAN-OS devices without mitigations.
Unit 42 threat brief: Unit 42 says the observed activity attempted GlobalProtect access through CVE-2026-0257, but did not identify post-access behavior or lateral movement at publication time; keep actor and malware attribution unset unless follow-up evidence appears.
Observed outcome: Unit 42 says only a small portion of probed devices established VPN sessions and generated gateway-connected events, making successful connection logs the main triage pivot rather than malware telemetry.
Arctic Wolf follow-up: Arctic Wolf observed a May 17-21 activity wave, then a larger wave beginning 2026-05-30 after public proof-of-concept release. The source infrastructure spanned VPS providers including DigitalOcean, The Constant Company, Hivelocity, Clouvider, BL Networks, M247, and Frantech Solutions.
Targeting shape: Arctic Wolf described opportunistic activity across insurance, finance, manufacturing, education, engineering, and healthcare organizations in Europe and North America, with the heaviest concentration in the United States.
Post-access behavior: In a subset of cases, successful VPN session establishment was followed within minutes by SMB session setup, NTLM negotiation, anonymous logon attempts, network share enumeration, and domain user discovery consistent with Impacket tooling. Arctic Wolf says it did not observe persistence or broader post-compromise operations in the cases it disrupted.
Affected versions: multiple PAN-OS 10.2, 11.1, 11.2, and 12.1 trains below the fixed hotfix / maintenance versions listed in the vendor advisory; Prisma Access 10.2 and 11.2 customers are being upgraded on the vendor schedule.

Unit42 2026-06-09 pivots

Pre-PoC source IP pivots: Unit 42 lists 23.128.228[.]6, 104.207.144[.]154, 146.19.216[.]119, 146.19.216[.]120, 146.19.216[.]125, 179.43.172[.]213, 185.195.232[.]139, 198.12.106[.]60, and 202.144.192[.]47 for pre-2026-05-29 GlobalProtect log review.
Suspicious client identity pivots: Unit 42 recommends hunting successful gateway-connected events using suspicious host IDs or device names such as aa:bb:cc:dd:ee:ff, 00:11:22:33:44:55, WINDOWS-LAPTOP-001, DESKTOP-GP01, and GP-CLIENT.

Arctic Wolf 2026-06-12 pivots

Exposure preconditions: Arctic Wolf summarizes the exploitable configuration as GlobalProtect portal or gateway enabled, authentication override cookies enabled, and the certificate used for authentication override cookies reused or exposed in another context.
Authentication sequence: prioritize portal-prelogin success, gateway-prelogin success, portal-auth failure, saml-client-redirect, gateway-auth success, and portal-auth success combinations, especially when Cannot decrypt cookie is followed quickly by successful cookie-based authentication.
Tunnel establishment: triage successful portal-getconfig, gateway-getconfig, gateway-register, gateway-setup-ipsec, gateway-hip-check, and gateway-connected events; Arctic Wolf says reviewed successful tunnels used IPsec rather than SSL VPN.
Client artifacts: hunt suspicious authentication or gateway-connected events from VPS / Tor / unusual geographies with device names such as GP-CLIENT, DESKTOP-GP01, or kali, and spoofed MAC address aa:bb:cc:dd:ee:ff.
Internal follow-on: for every suspicious gateway-connected event, map the VPN client IP to subsequent SMB, NTLM, anonymous logon, network-share enumeration, domain-user discovery, and Impacket-style activity within the first minutes after tunnel setup.

Defender heuristics

Prioritize internet-exposed GlobalProtect portals and gateways, especially appliances where authentication override cookies are enabled.
Upgrade to the fixed PAN-OS maintenance or hotfix releases listed by Palo Alto Networks; expect GlobalProtect users to re-authenticate after upgrade because the fix regenerates authentication-override cookies using a more secure method.
If immediate upgrade is blocked, use a dedicated certificate exclusively for authentication-override cookies or disable authentication override on GlobalProtect portals and gateways.
Preserve and review GlobalProtect, VPN, authentication, configuration-change, and management-plane logs around the exposure window before cleanup.
Hunt for unusual successful VPN sessions, unexpected source geographies / ASNs, impossible travel, new internal discovery from VPN address pools, and access that does not line up with normal user MFA / device posture.
Split review into pre-PoC and post-PoC windows: start with Unit 42's pre-2026-05-29 source IPs, then broaden to any successful gateway-connected event carrying generic host IDs or device names that do not match managed-fleet inventory.
Treat confirmed exploit evidence as unauthorized remote access: rotate credentials and session material for affected identities, review internal access from VPN-assigned addresses, and check for follow-on persistence on reachable systems.
Do not stop at the appliance logs. If gateway-connected is present, build a time-bounded network timeline from the assigned VPN address and prioritize SMB / NTLM traffic, domain-controller authentication, file-share enumeration, and administrator-account use.

Sources

Palo Alto Networks advisory: https://security.paloaltonetworks.com/CVE-2026-0257
Unit 42: https://unit42.paloaltonetworks.com/active-exploitation-of-pan-os-cve-2026-0257/
Arctic Wolf Labs: https://arcticwolf.com/resources/blog/arctic-wolf-observes-increase-in-palo-alto-networks-globalprotect-authentication-bypass-exploitation-via-cve-2026-0257/
CISA KEV: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json
CISA KEV catalog page: https://www.cisa.gov/known-exploited-vulnerabilities-catalog
CVE record: https://www.cve.org/CVERecord?id=CVE-2026-0257