Arctic Wolf Observes an Increase in Palo Alto Networks GlobalProtect Authentication Bypass Exploitation via CVE-2026-0257

Key Takeaways

• Arctic Wolf observed a wave of CVE-2026-0257 exploitation activity in late May and early June 2026, following the publication of working exploit code and technical details about the vulnerability. The campaign is still ongoing as of this publication.
• Successful exploitation requires specific configuration conditions, including GlobalProtect portal or gateway exposure, authentication override cookies, and reuse or exposure of the certificate used for those cookies.
• Initial malicious activity consisted of suspicious cookie-based GlobalProtect administrative login activity from virtual private server hosting infrastructure.
• In intrusions that progressed beyond initial authentication bypass, threat actors established IPSec tunnels and quickly generated internal SMB and NTLM activity consistent with Impacket-based reconnaissance from the assigned VPN client address.

Summary

In late May and early June 2026, Arctic Wolf began observing increased exploitation of CVE-2026-0257, a high-severity authentication bypass vulnerability affecting Palo Alto Networks PAN-OS GlobalProtect and Prisma Access.

The increase in CVE-2026-0257 exploitation began on May 30, 2026, following a smaller initial wave that had taken place between May 17 and May 21. Initial exploitation activity was consistent in some respects with behavior initially reported on by Rapid7, where a variable number of authentication failures were followed by successful authentication. In contrast with the original cluster of activity described, Arctic Wolf observed a set of intrusions with follow-on Impacket activity soon after VPN tunnel establishment.

Arctic Wolf is sharing technical details from this campaign to help defenders identify similar activity and hunt for related indicators of compromise in PAN-OS deployments.

Background

CVE-2026-0257 is an authentication bypass vulnerability that allows remote, unauthenticated threat actors to forge GlobalProtect authentication override cookies and establish unauthorized VPN sessions when three configuration conditions are met:

1. GlobalProtect portal or gateway is enabled.
2. Authentication override cookies are enabled. Authentication override cookies are an optional GlobalProtect feature that allow previously authenticated users to reconnect without re-entering credentials for a configured time period.
3. The certificate used for authentication override cookies is reused or exposed in another context. For example, if the same certificate is used for the GlobalProtect portal or gateway HTTPS service, a remote attacker may be able to retrieve the public certificate and use it to forge authentication override cookies that the appliance accepts.

CVE-2026-0257 was first publicly disclosed by Palo Alto Networks on May 13, 2026, via a security advisory. The vulnerability was initially assigned a CVSS score of 4.7 (medium). However, on May 29, 2026, after Rapid7 published its technical analysis and a working proof-of-concept script, Palo Alto Networks revised the CVSS score upward to 7.8 (high). That same day, CISA added CVE-2026-0257 to the Known Exploited Vulnerabilities (KEV) catalog.

Technical details

Campaign Characteristics

In May 2026, the initial wave of suspicious cookie-based admin login activity from virtual private server (VPS) hosting providers appears to have begun on the 17th, with low volume continuing until the 21st. During this phase of the campaign, suspicious login activity was tied to two IP addresses: 104.207.144[.]154 and 179.43.172[.]213. These two IP addresses were not observed again following the 21st.

The next wave of exploitation began on May 30, 2026, where a notable uptick in activity was observed involving a variety of ASNs. The source infrastructure utilized throughout this phase was broad, spanning across numerous ASNs, including DigitalOcean, The Constant Company, Hivelocity, Clouvider, BL Networks, M247, Frantech Solutions, and others.

Figure 1: Suspicious admin logins on GlobalProtect devices from VPS hosting IP space between May 17, 2026 and June 9, 2026.

Exploitation was observed across a variety of sectors, including insurance, finance, manufacturing, education, engineering, and healthcare. Impacted organizations were located in Europe and North America, with the heaviest concentration in the United States. The pattern of exploitation showed signs of being opportunistic, with successful logins spanning across hundreds of devices in an assortment of sectors rather than being limited to a narrow targeting criteria.

Observed activity targeted the admin account primarily. Additionally, we identified kali as a device name artifact, which strongly suggested the direct use of Kali Linux offensive tooling by at least a subset of the operators involved in this campaign. Additional device names included generic DESKTOP– prefixed names, GP-CLIENT, and several others. In contrast with the earlier activity observed by Rapid7, MAC spoofing was not consistently observed across all intrusions.

Suspicious Cookie-Based GlobalProtect Authentication

The exploitation activity observed across multiple intrusions followed a consistent sequence of events that were similar to Rapid7’s published proof-of-concept behavior.

The broadest pattern observed by Arctic Wolf was successful suspicious cookie-based authentication against GlobalProtect portals and gateways, predominately from VPS hosting providers. The activity often included combinations of the following GlobalProtect events:

• portal-prelogin success
• gateway-prelogin success
• portal-auth failure
• saml-client-redirect
• gateway-auth success
• portal-auth success

In some instances, authentication failures were caused by cookie handling errors such as Cannot decrypt cookie, followed quickly by successful cookie-based authentication. However, this error message was not universally observed across all intrusions.

In several cases, the activity included repeated authentication failures interspersed with SAML redirection events prior to eventual authentication success. This behavior suggested iterative authentication attempts or manipulation of the authentication workflow before successful session establishment.

However, successful GlobalProtect authentication events alone did not necessarily mean threat actors proceeded to move laterally within victim environments. Follow-on activity typically involved tunnel establishment and assigning a client IP address.

VPN Session Establishment

While threat actors generated successful authentication activity, only a subset of observed intrusions progressed beyond authentication activity into full VPN session establishment.

In cases of successful authentication, additional gateway and tunnel establishment events typically followed, including:

• portal-getconfig success
• gateway-getconfig success
• gateway-register success
• gateway-setup-ipsec success
• gateway-hip-check success
• gateway-connected success

These events indicated that the client successfully authenticated to the GlobalProtect gateway and established a functional VPN tunnel, resulting in network-level access to the internal environment.

Figure 2: Event sequence from a representative intrusion with successful VPN tunnel establishment. (NOTE: The remote IP address shown here belongs to the attacker.)

In a representative intrusion, within a few seconds, the same remote IP generated a cookie-based portal-auth failure with Cannot decrypt cookie, successfully authenticated as admin, retrieved portal and gateway configuration, registered with the gateway, and completed gateway-setup-ipsec before reaching gateway-connected.

In some instances we observed gateway-setup-ssl failure events from suspicious IP addresses. Palo Alto documentation states that GlobalProtect clients preferentially attempt IPsec tunnel establishment and may automatically fall back to SSL VPN transport if IPSec negotiation fails or is unavailable. However, we did not identify any successful SSL-VPN connection across the activity we reviewed; successfully established tunnels we observed were limited to IPsec.

Post-Compromise

In a subset of investigated intrusions, successful VPN session establishment was quickly followed by an SMB session setup request and automated internal SMB reconnaissance consistent with Impacket tooling. The threat actor conducted limited internal network scanning, including network share enumeration and domain user discovery. In some instances, the SMB activity followed GlobalProtect gateway-connected events within a minute.

In situations where follow-on activities occurred, affected hosts initiated rapid SMB authentication and session negotiation activity. The authentication traffic leveraged NTLM negotiation and repeatedly attempted access using the admin account, likely intended to identify reachable systems and test potential authentication pathways within the environment.

Figure 3: A selection of NTLM authentication events in rapid succession from a representative intrusion.

In some environments, within minutes of a gateway-connected event, internal network discovery was conducted, including NTLM anonymous logon attempts consistent with host and service discovery.

Despite evidence of successful post-authentication access in a handful of intrusions, observed follow-on activity remained limited. Across investigated cases, the activity did not progress substantially beyond the initial SMB session setup and lightweight reconnaissance behavior commonly associated with Impacket tooling.

Arctic Wolf identified and disrupted the activity before the threat actors could establish persistence or conduct broader post-compromise operations within affected environments.

Notably, this post-exploitation activity differed from the majority of observed intrusion attempts, which primarily consisted of repeated GlobalProtect authentication failures and limited portal or gateway authentication activity without clear evidence of successful VPN tunnel establishment or subsequent internal network interaction.

Conclusion

The observed activity associated with CVE-2026-0257 demonstrated that, under vulnerable configurations, threat actors were able to successfully interact with and, in some cases, abuse the GlobalProtect authentication workflow to establish unauthorized VPN access.

Across investigated intrusions, most activity was limited to repeated authentication attempts and intermittent successful portal or gateway authentication activity without clear evidence of successful post-authentication operations. However, a smaller subset of intrusions progressed further into authenticated VPN session establishment and limited internal network interaction.

In cases where VPN connectivity was successfully established, Arctic Wolf observed immediate follow-on activity consistent with Impacket tooling, including SMB session setup requests, NTLM anonymous logon activity, network share enumeration, and limited domain user discovery. The rapid transition from VPN session establishment to internal reconnaissance strongly suggested the threat actors intended to leverage unauthorized VPN access as an initial foothold for subsequent post-compromise operations.

For defenders, the priority should be to identify which suspicious GlobalProtect sessions from IP space associated with VPS hosting became working tunnels and then determine what those tunnel IPs did next. Arctic Wolf has detections in place for the activities observed in this campaign through our Managed Detection and Response service.

How Arctic Wolf Protects Its Customers

Arctic Wolf is committed to ending cyber risk, and when active campaigns are identified, we move quickly to protect our customers. We have leveraged threat intelligence around this campaign to enhance detections in the Arctic Wolf® Managed Detection and Response (MDR) service, subject to the customer environment and available telemetry. Customers in scope of this campaign have been notified; detections and response recommendations have been deployed to affected accounts.

As we track this campaign and discover new information, we may further refine our detections to account for additional indicators of compromise (IOCs) and techniques leveraged by the threat actors behind this malicious activity.

Detection Guidance

GlobalProtect Authentication Plane

Defenders should focus on authentication anomalies combined with unexpected VPN session establishment from non-corporate infrastructure. These are the earliest high-signal indicators.

• CVE-2026-0257 exploitation signals:
  • Cookie decryption error followed immediately by successful authentication in the same session.
  • Failed authentication attempt (cookie error) immediately preceding a clean authentication success.
• Suspicious authentication activity:
  • Successful GlobalProtect logins as admin or other privileged accounts from VPS hosting provider ASNs.
  • Logins from Tor exit nodes, VPS IP addresses, or unfamiliar geographies.
  • Authentication events from machine names including GP-CLIENT, DESKTOP-GP01, or kali.
  • Connections using spoofed MAC address aa:bb:cc:dd:ee:ff.

Post-Exploitation Behavior

Focus on rapid automated activity immediately following VPN session establishment.

• Anomalous authentication and enumeration activity:
  • Signs of Impacket or suspicious NTLM activity following VPN session establishment.
  • Rapid SMB authentication attempts against multiple hosts.
  • NTLM anonymous logon attempts from VPN-assigned IPs.

Network Monitoring

Focus on source IP infrastructure and session characteristics that deviate from expected corporate VPN usage.

• High-signal source indicators:
  • Successful authentication from known VPS hosting provider ASNs.
  • Connections from Tor exit nodes (e.g., AS60729, AS215125).
• Session characteristics:
  • Kali Linux or browser-based client fingerprints in VPN connection logs.

Appendix

For additional Appendix sections referenced in this report, please see our public GitHub repository.

Legal disclaimer: Attribution reflects Arctic Wolf Labs’ assessment as of the report period and may evolve with new evidence. References to threat actor identity, nexus, and intent are analytical judgments, not statements of legal fact. This alert is provided for informational purposes only and does not constitute a guarantee of detection or prevention. Defensive effectiveness varies by environment, configuration, and available telemetry. 

References

• CVE-2026-0257 PAN-OS: GlobalProtect Authentication Bypass Vulnerabilities
• Rapid7 Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257)
• CISA Adds One Known Exploited Vulnerability to Catalog | CISA
• NVD – CVE-2026-0257
• Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257

About Arctic Wolf Labs

Arctic Wolf Labs is a group of elite security researchers, data scientists, and security development engineers who explore security topics to deliver cutting-edge threat research on new and emerging adversaries, develop and refine advanced threat detection models with artificial intelligence and machine learning, and drive continuous improvement in the speed, scale, and detection efficacy of Arctic Wolf’s solution offerings.

Arctic Wolf Labs brings world-class security innovations to not only Arctic Wolf’s customer base, but the security community at large.