akashsingh0454/CVE-2026-0257-PoC

GitHub: akashsingh0454/CVE-2026-0257-PoC

Stars: 2 | Forks: 1

# CVE-2026-0257 — PAN-OS GlobalProtect Authentication Bypass ## Remote Detection PoC ![CVE](https://img.shields.io/badge/CVE-2026--0257-red) ![Severity](https://img.shields.io/badge/Severity-MEDIUM%204.7-orange) ![PAN--OS](https://img.shields.io/badge/Vendor-Palo%20Alto%20Networks-blue) ![Detection Only](https://img.shields.io/badge/Type-Detection%20Only-green) ## Overview CVE-2026-0257 is an authentication bypass vulnerability (CWE-565 — Reliance on Cookies without Validation and Integrity Checking) in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS. When authentication override cookies are enabled and a specific certificate configuration exists, an unauthenticated attacker can bypass security restrictions and establish an unauthorized VPN connection. - **Advisory:** https://security.paloaltonetworks.com/CVE-2026-0257 - **CVSS 4.0:** 4.7 (MEDIUM) / Base: 7.8 - **CWE:** CWE-565 - **Affected components:** GlobalProtect Portal, GlobalProtect Gateway - **Not affected:** Panorama, Cloud NGFW ## Affected Versions | Branch | Vulnerable | Fixed | |--------|-----------|-------| | PAN-OS 10.2 | < 10.2.7-h34, < 10.2.10-h36, < 10.2.13-h21, < 10.2.16-h7, < 10.2.18-h6 | See advisory | | PAN-OS 11.1 | < 11.1.4-h33, < 11.1.6-h32, < 11.1.7-h6, < 11.1.10-h25, < 11.1.13-h5, < 11.1.15 | See advisory | | PAN-OS 11.2 | < 11.2.4-h17, < 11.2.7-h14, < 11.2.10-h7, < 11.2.12 | See advisory | | PAN-OS 12.1 | < 12.1.4-h6, < 12.1.7 | See advisory | | Cloud NGFW | Not affected | — | | Panorama | Not affected | — | ## Required Configuration for Exposure The vulnerability only applies when **authentication override cookies are enabled** on the portal or gateway. To check: **Portal:** Network → GlobalProtect → Portals → Agent → Agent Config → Authentication tab - "Generate cookie for authentication override" or "Accept cookie for authentication override" is checked **Gateway:** Network → GlobalProtect → Gateways → Agent → Client Settings → Authentication Override tab - "Accept cookie for authentication override" is checked ## This Tool `cve_2026_0257_check.py` performs passive, read-only remote detection: 1. **GP portal/gateway detection** — checks standard unauthenticated endpoints for GlobalProtect presence 2. **PAN-OS version fingerprinting** — reads version from Server headers, login page HTML, and the `/global-protect/portal/config.esp` XML response 3. **Auth-override cookie indicator** — looks for behavioral signals that cookie-based auth override may be enabled 4. **Version range check** — compares detected version against all advisory-defined vulnerable ranges ### What it does NOT do - Does not submit credentials - Does not forge or replay authentication cookies - Does not attempt to establish a VPN connection - Does not write or modify anything on the target ## Requirements - Python 3.8+ - No third-party dependencies (stdlib only) ## Usage # Single target (default port 443) python3 cve_2026_0257_check.py vpn.example.com # Custom port python3 cve_2026_0257_check.py vpn.example.com:8443 # Multiple targets python3 cve_2026_0257_check.py host1 host2 host3 # JSON output python3 cve_2026_0257_check.py vpn.example.com --json # Adjust timeout python3 cve_2026_0257_check.py vpn.example.com --timeout 15 ## Output ============================================================ Target : vpn.example.com:443 Verdict : LIKELY_VULNERABLE ============================================================ GP Portal reachable : True GP Gateway reachable : True PAN-OS version : 11.2.7-h3 Auth-cookie indicator: True Version vulnerable : True Notes: • GlobalProtect portal page found at /global-protect/login.esp (HTTP 200) • GlobalProtect gateway endpoint present (HTTP 400) • Version from /global-protect/portal/config.esp: 11.2.7-h3 • portal/config.esp returned HTTP 200 with body — may indicate auth-override cookie acceptance is enabled [!] Host appears to run a vulnerable PAN-OS version. Verify auth-override cookie config per the advisory: https://security.paloaltonetworks.com/CVE-2026-0257 ### Verdict values | Verdict | Meaning | |---------|---------| | `LIKELY_VULNERABLE` | GP exposed + version in known-vulnerable range | | `LIKELY_PATCHED` | GP exposed + version confirmed patched | | `POSSIBLE_TARGET_VERSION_UNKNOWN` | GP exposed but version could not be read | | `NOT_GP_TARGET` | No GlobalProtect portal or gateway detected | ## Remediation Per the official advisory: 1. **Upgrade** to a fixed PAN-OS version (see table above) 2. **Or use a dedicated certificate** exclusively for authentication override cookies — do not reuse the portal/gateway certificate 3. **Or disable authentication override** entirely by unchecking the relevant options in portal and gateway configuration After patching, users will need to re-authenticate once as the cookie is regenerated using a more secure method. ## Disclosure - **Discovered:** Internally by Palo Alto Networks PSIRT - **Published:** 2026-05-13 - **Exploitation status:** No known malicious exploitation as of publication ## Legal This tool is intended for use on systems you own or have explicit written authorization to test. Unauthorized use against systems you do not own is illegal. The authors assume no liability for misuse.