CVE-2026-0257: Rapid7 Caught Attackers Abusing Forged VPN Cookies Against Multiple Customers

Pierluigi Paganini
May 31, 2026

CVE-2026-0257 lets attackers forge Palo Alto GlobalProtect auth cookies and bypass VPN login. Exploitation confirmed since May 17.

Palo Alto Networks addressed the vulnerability CVE-2026-0257 on May 13. Two weeks later, cybersecurity firm Rapid7 confirmed active exploitation across multiple customer environments.

The flaw impacts the GlobalProtect portal and gateway components of Palo Alto Networks PAN-OS and allows attackers to bypass authentication and establish unauthorized VPN connections. The vulnerabilities do not affect Panorama or Cloud NGFW deployments.

“Authentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS® software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection.” reads the advisory.

If the same certificate is used for both the HTTPS service and the cookie encryption feature, which is a common misconfiguration, an attacker can grab the public key straight from the HTTPS session. Armed with that key, they can craft a cookie for any user, including the local admin account, that the device will accept as perfectly legitimate. No credentials required. Rapid7’s Labs team built a proof-of-concept script that demonstrates this in full: retrieve the certificate chain, iterate through each certificate, forge a cookie, test it. The whole attack takes seconds against a vulnerable appliance.

“If we look at the main_DecryptAppAuthCookie function we can begin to see the problem.” reads the report published by Rapid7. “The incoming encrypted cookie is base64 decoded and then decrypted using a private key. The decrypted content is then trusted implicitly, with no signature verification of any kind occurring after decryption.”

Rapid7 MDR caught…

Source

CVE-2026-0257: Rapid7 Caught Attackers Abusing Forged VPN Cookies Against Multiple Customers