{"id":260462,"date":"2026-05-31T14:11:00","date_gmt":"2026-05-31T18:11:00","guid":{"rendered":"https:\/\/news-you-need.com\/index.php\/2026\/05\/31\/cve-2026-0257-rapid7-caught-attackers-abusing-forged-vpn-cookies-against-multiple-customers\/"},"modified":"2026-05-31T15:15:16","modified_gmt":"2026-05-31T19:15:16","slug":"cve-2026-0257-rapid7-caught-attackers-abusing-forged-vpn-cookies-against-multiple-customers","status":"publish","type":"post","link":"https:\/\/news-you-need.com\/index.php\/2026\/05\/31\/cve-2026-0257-rapid7-caught-attackers-abusing-forged-vpn-cookies-against-multiple-customers\/","title":{"rendered":"CVE-2026-0257: Rapid7 Caught Attackers Abusing Forged VPN Cookies Against Multiple Customers"},"content":{"rendered":"

CVE-2026-0257: Rapid7 Caught Attackers Abusing Forged VPN Cookies Against Multiple Customers<\/a><\/p>\n

https:\/\/securityaffairs.com\/192933\/security\/cve-2026-0257-rapid7-caught-attackers-abusing-forged-vpn-cookies-against-multiple-customers.html<\/a><\/p>\n

Publish Date: 2026-05-31 14:11:00<\/a><\/p>\n

Source Domain: securityaffairs.com<\/a><\/p>\n

CVE-2026-0257: Rapid7 Caught Attackers Abusing Forged VPN Cookies Against Multiple Customers<\/h2>\n<\/p>\n

\t\t\t\t\t\t\t Pierluigi Paganini<\/span>
\n\t\t\t\t\t\t\t\"\"\/ May 31, 2026<\/span><\/p>\n

\t\t\t\t\t\t\"\"\/<\/p>\n

CVE-2026-0257 lets attackers forge Palo Alto GlobalProtect auth cookies and bypass VPN login. Exploitation confirmed since May 17.<\/h2>\n

Palo Alto Networks addressed the vulnerability CVE-2026-0257 on May 13. Two weeks later, cybersecurity firm Rapid7 confirmed active exploitation across multiple customer environments. <\/p>\n

The flaw impacts the GlobalProtect portal and gateway components of Palo Alto Networks PAN-OS and allows attackers to bypass authentication and establish unauthorized VPN connections. The vulnerabilities do not affect Panorama or Cloud NGFW deployments.<\/p>\n

\u201cAuthentication bypass vulnerabilities in the GlobalProtect portal and gateway of Palo Alto Networks PAN-OS\u00ae software allows the attacker to bypass security restrictions and establish an unauthorized VPN connection.\u201d reads the advisory.<\/p>\n

If the same certificate is used for both the HTTPS service and the cookie encryption feature, which is a common misconfiguration, an attacker can grab the public key straight from the HTTPS session. Armed with that key, they can craft a cookie for any user, including the local admin account, that the device will accept as perfectly legitimate. No credentials required. Rapid7\u2019s Labs team built a proof-of-concept script that demonstrates this in full: retrieve the certificate chain, iterate through each certificate, forge a cookie, test it. The whole attack takes seconds against a vulnerable appliance.<\/p>\n

\u201cIf we look at the\u00a0main_DecryptAppAuthCookie\u00a0function we can begin to see the problem.\u201d reads the report published by Rapid7. \u201cThe incoming encrypted cookie is base64 decoded and then decrypted using a private key. The decrypted content is then trusted implicitly, with no signature verification of any kind occurring after decryption.\u201d<\/p>\n

Rapid7 MDR caught…<\/p>\n

Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

CVE-2026-0257: Rapid7 Caught Attackers Abusing Forged VPN Cookies Against Multiple Customers https:\/\/securityaffairs.com\/192933\/security\/cve-2026-0257-rapid7-caught-attackers-abusing-forged-vpn-cookies-against-multiple-customers.html Publish Date: 2026-05-31…<\/p>\n","protected":false},"author":1,"featured_media":260463,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/securityaffairs.com\/wp-content\/uploads\/2020\/05\/Palo-Alto-Networks.png","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[24,27],"class_list":["post-260462","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-cybersecurity","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/260462"}],"collection":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=260462"}],"version-history":[{"count":1,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/260462\/revisions"}],"predecessor-version":[{"id":260464,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/260462\/revisions\/260464"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/260463"}],"wp:attachment":[{"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=260462"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=260462"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=260462"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}