CVE-2026-0257 GlobalProtect Auth Bypass | RECATOOLS — Practical Tools. Trusted Intelligence.

CSA Flags GlobalProtect Auth-Bypass CVE-2026-0257 as Critical While Attackers Forge VPN Cookies in the Wild

Photo by Walkerssk on Pixabay

CYBERSECURITY · 7 Jun 2026 —

On 31 May 2026, the Cyber Security Agency of Singapore (CSA) issued an alert urging organisations to immediately patch CVE-2026-0257, an authentication-bypass vulnerability in the GlobalProtect portal and gateway of Palo Alto Networks' PAN-OS firewall software and its cloud-delivered Prisma Access service. CSA says the flaw is "being actively exploited in the wild," and warns that successful exploitation lets a remote, unauthenticated attacker bypass security controls and stand up an unauthorised VPN connection into a target network. Palo Alto Networks first published its advisory on 13 May 2026 and updated it on 29 May; the same day, the bug was added to the U.S. CISA Known Exploited Vulnerabilities catalog.

This one matters because the affected component is the front door. GlobalProtect is the remote-access VPN sitting on the public edge of large enterprise and government networks across the region. An authentication bypass there is not a lateral-movement problem you contain later — it is the initial access.

How the bypass actually works

The vector is a feature called authentication override. It lets a GlobalProtect portal or gateway hand an already-authenticated user a cookie that stands in for re-entering credentials on later requests — effectively a bearer token. Rapid7, whose managed-detection team investigated the live attacks, stresses that this is not switched on by default, so estates that never enabled it are not exposed to this particular issue.

The defect is in how that cookie is trusted. Palo Alto classifies the issue under CWE-565, the weakness class covering reliance on cookies without integrity checking. Rapid7's reverse-engineering of the GlobalProtect service found that the appliance decrypts an incoming cookie and then accepts it — in their description, the decrypted content "is then trusted implicitly, with no signature verification of any kind." Nothing proves the cookie was actually issued by the server; it only has to decrypt cleanly.

That gap turns dangerous through a certificate-handling mistake. The override cookie is encrypted and decrypted using a certificate, and exposure appears when that same certificate is reused for the portal or gateway's public-facing HTTPS service. In that situation, Rapid7 explains, an unauthenticated attacker can read the certificate's public key straight off the appliance's TLS service and use it to forge a valid-looking override cookie for any user — including an administrator — and authenticate as them. Rapid7 Labs went on to publish a proof-of-concept script that forges a cookie from each certificate in an appliance's chain and reports which one the gateway accepts.

So two preconditions must both hold for an appliance to be exposed: authentication override is enabled, and the certificate used for those cookies is shared with another feature such as the HTTPS service. If override has never been turned on, this issue does not apply to you.

Two scores, one bug: read the severity carefully

The headline numbers do not agree, and the disagreement is the story. CSA rates CVE-2026-0257 at 9.1 out of 10 on the CVSS v3.1 scale — critical. Palo Alto's own advisory marks it HIGH, with a CVSS 4.0 base score of 7.8 and a suggested urgency of "highest." Rapid7 supplies the missing context: the CVE was first published with a CVSS 4.0 score of just 4.7 (medium), and the vendor later raised it to 7.8 to push customers to patch with maximum urgency.

These are different scoring frameworks measuring the same flaw, so the spread between 7.8 and 9.1 is expected rather than contradictory. The practical takeaway is the one all three bodies converge on: treat it as urgent. Rapid7 is explicit that, whatever the calculator says, organisations should handle it as a critical vulnerability. When the number moves and a national CERT scores a bug higher than the vendor does, the prudent reading is the higher one.

The exploitation language splits the same way. Palo Alto's advisory describes only "limited exploit attempts on unpatched PAN-OS devices without mitigations applied." CSA calls it active exploitation in the wild. Rapid7 reports the strongest version from its own telemetry — successful exploitation across numerous customers.

What the in-the-wild attacks looked like

Rapid7's account is the most detailed public record of the activity. Its team saw the earliest exploitation on 17 May 2026, followed by a second wave on 21 May. A consistent — and spoofed — MAC address across both bursts led Rapid7 to assess them as likely the work of a single threat actor, with each wave launched from a different low-cost hosting provider.

The outcomes were mixed. In the second wave, the attacker received a VPN IP assignment after the forged-cookie login, gaining access to the internal network. But most intrusions stalled earlier: Rapid7 says that in eight of ten affected managed-detection customers the appliance accepted the forged cookie without a full VPN session being established, and across its monitored estate it saw no sign of successful lateral movement off the devices. Reassuring as far as it goes — but an edge VPN bypass that sometimes yields full internal access is not something to leave open while you work out whether you were one of the lucky eight.

CISA's addition of the CVE to its Known Exploited Vulnerabilities list set a hard deadline for U.S. federal civilian agencies to remediate by 1 June 2026, as reported by The Hacker News. A KEV listing is a useful external signal even for organisations outside the United States: it means exploitation is confirmed, not theoretical.

What ASEAN teams running GlobalProtect should do now

CSA flagging this to Singapore organisations — and scoring it critical — is the regional cue worth acting on. PAN-OS and Prisma Access are widely deployed across banks, government agencies and large enterprises in the region, and edge VPNs are a perennial target for access brokers. If you run GlobalProtect, work through this in order:

Check whether you are even exposed. Confirm whether authentication override is enabled on your portal or gateway, and whether the override cookie's certificate is shared with any other feature. If override is off, your urgency drops sharply.
Patch. Palo Alto has shipped fixed releases across the PAN-OS 10.2, 11.1, 11.2 and 12.1 trains and for Prisma Access 10.2 and 11.2. Match your exact running version to the vendor advisory's fix table rather than guessing — the safe target differs by maintenance branch. Panorama and Cloud NGFW are not affected.
If you cannot patch immediately, mitigate. CSA and the vendor offer two interim options: generate a dedicated certificate used solely for authentication-override cookies, or disable authentication override entirely until you can upgrade.
Hunt for what may already have happened. Review GlobalProtect authentication logs for cookie-based logins to local or admin accounts from unfamiliar hosting-provider IP space, and treat any VPN IP assignment following such a login as a likely compromise pending investigation.

One operational footnote: after patching, GlobalProtect users will need to re-authenticate once, because the fix regenerates override cookies using a stronger method. Plan for that small disruption rather than being surprised by it.

Key Takeaways

CVE-2026-0257 is an authentication-bypass flaw in Palo Alto GlobalProtect (PAN-OS and Prisma Access); CSA scored it 9.1/critical, the vendor 7.8/HIGH.
Attackers can forge GlobalProtect authentication-override cookies when the cookie certificate is reused for another feature — no credentials needed.
Exploitation has been observed in the wild since 17 May 2026; CISA added it to its KEV catalog with a 1 June federal deadline.
Fix: patch to the vendor's fixed release for your branch, or disable authentication override / use a dedicated certificate as interim mitigation. Panorama and Cloud NGFW are unaffected.

Cyber Team's VerdictRisk

The interesting part of CVE-2026-0257 is not the patch — it is the gap between how a vendor and a national regulator framed the same risk. Palo Alto walked the score up from 4.7 to 7.8 and called exploitation "limited"; CSA put it at 9.1 and called it active. Both readings can be technically defensible, and the defender's job is to act on the sterner of the two. The deeper lesson is older than this CVE: a bearer-style cookie with no integrity check is a credential waiting to be forged, and certificate reuse turns a latent design weakness into a remote, unauthenticated bypass. Audit where else in your stack a secret is trusted simply because it decrypts. Patch GlobalProtect this week — but treat the certificate-reuse pattern as the thing to go find everywhere else.

Tags: #ASEAN #Cybersecurity #CVE #Palo-alto #pan-os #vpn

Cyber Team

Cybersecurity Desk

Cyber Team is RECATOOLS’ cybersecurity desk, covering vulnerabilities, breaches, threat intelligence, and practical security guidance.

View author profile → · Editorial policy

About this byline Cyber Team is a specialist RECATOOLS editorial desk focused on cybersecurity coverage. Articles are produced and reviewed under RECATOOLS editorial supervision.