CVE-2026-0257 PAN-OS GlobalProtect — Forged Auth-Override Cookies

← Back to Honeypot Data

Day 4 — silence holds; zero firings, zero Rapid7-IOC traffic; T+18 PAN-OS Tor wave didn’t pivot here either May–June 2026 · CVE-2026-0257 hunt opened 2026-05-30 · day 4 silent

CVE-2026-0257 PAN-OS GlobalProtect — Forged Auth-Override Cookies

Coverage period: 2026-05-30 (day 0) → ongoing. Detection went live across all three HoneyLens sensors on the same day Rapid7’s exploitation writeup went up. Three Suricata signatures, an updated PA honeypot classifier that extracts the smoking-gun form fields, and a single high-confidence attack-type tag (cve_2026_0257_authbypass).

CVE-2026-0257 is an authentication-bypass primitive in PAN-OS GlobalProtect’s authentication override feature. The portal issues RSA-encrypted cookies for re-authentication, but the decryption code performs no signature verification on the plaintext — any actor who has the public key (which they do, when the auth-override certificate is reused as the GP portal/gateway HTTPS service certificate) can forge an arbitrary cookie. The gateway accepts it as legitimate and the actor lands as the forged user. Patched 2026-05-13; exploited in the wild from 2026-05-17 onward; added to CISA KEV 2026-05-29.

PAN-OS GlobalProtect CVE-2026-0257 Auth Bypass CISA KEV Rapid7-tracked Preemptive Coverage

Sensors live

3 / 3

sensor1 + sensor2 + sensor3

Smoking-gun field

portal-(prelogon)userauthcookie

no benign GP client sends this

Suricata SIDs

9026330-9026332

Listener

4443

PA-OS HTTPS, all 3 sensors

Real exploits caught

day 0 — bait just live

Rapid7 IOC IPs

Vultr + Dromatics

The Vulnerability in One Minute

GlobalProtect’s authentication override feature is a convenience: once the user authenticates to the portal, the portal hands back an RSA-encrypted cookie that the gateway accepts as re-authentication evidence later. The encrypted cookie contains the username, domain, host ID, client OS, and a timestamp.

The bug: the gateway decrypts the cookie and trusts the plaintext without checking a signature. There is no signature on the plaintext at all. So if you have the public key, you can encrypt any plaintext you want and the gateway will accept it. And you frequently do have the public key — the common deployment pattern is to use the GP portal/gateway’s HTTPS service certificate as the auth-override certificate, which makes the public key the certificate the server hands out at TLS handshake. Free.

Rapid7’s public PoC takes a target IP and a username and emits a forged portal-userauthcookie blob. The exploit fits in a single HTTPS POST.

What the request looks like

POST /ssl-vpn/login.esp HTTP/1.1 Host: <target gateway> User-Agent: PAN GlobalProtect Content-Type: application/x-www-form-urlencoded Content-Length: 612 portal-userauthcookie=ng9ygxlaclylNXeSHcakXZPK06Fno0svVirz6RhRtA5mD…

That portal-userauthcookie form field is the smoking gun. No legitimate GP client sends this field to a fresh /login.esp POST — the proper auth-override re-auth path goes through the gateway, not this portal endpoint. SID 9026330 fires on exactly this shape and is essentially zero-FP.

The Three Detection Layers

SID 9026330 — smoking-gun form field

POST to /ssl-vpn/login.esp or /global-protect/login.esp with body content matching (?:^|&)portal-(?:prelogon)?userauthcookie=<blob>. Single highest-confidence indicator in the pack. Anyone sending this is attempting the CVE-2026-0257 primitive — full stop.

SID 9026331 — Rapid7-tracked actor IPs

104.207.144.154, 146.19.216.119/120/125 — threat-actor hosting infrastructure (Vultr + Dromatics Systems) Rapid7 documented across the 2026-05-17 and 2026-05-21 exploitation waves. Catches any traffic from these sources, not just CVE-2026-0257-shaped bodies. They may pivot between waves, and we want to see them when they do.

SID 9026332 — observed-kit artifacts

Rapid7 published two operator-machine names and one spoofed MAC seen across both waves: computer=GP-CLIENT (Linux, 2026-05-17), computer=DESKTOP-GP01 (Windows, 2026-05-21), and the literal MAC aa:bb:cc:dd:ee:ff. We match them in the /login.esp POST body. Lower confidence than 9026330 (kit operators may rotate these strings as the wave matures), but high enough on its own to flag for review.

Plus a fourth layer in the application honeypot itself: the handle_gp_login handler in honeypot_paloalto.py now extracts the two cookie fields from the form body, tags the event with cve_2026_0257_authbypass at HIGH severity, and stores the truncated forged blob (512 B) in the event metadata for later analysis. The honeypot still returns the canonical PA-OS auth-cookie XML response so the attacker thinks the forge worked — we observe the follow-up getconfig.esp POST as confirmation of the kit behaviour.

IOC Vocabulary

# Suricata SIDs (HoneyLens local range) sid 9026330 — HONEYLENS CVE-2026-0257 PAN-OS GlobalProtect — forged auth-override cookie POST sid 9026331 — HONEYLENS CVE-2026-0257 PAN-OS GlobalProtect — Rapid7-tracked actor IP sid 9026332 — HONEYLENS CVE-2026-0257 PAN-OS GlobalProtect — Rapid7-observed kit artifact in /login.esp body # Application-honeypot attack-types (sensor_events.attack_types) attack_type cve_2026_0257_authbypass portal-(prelogon)userauthcookie field present attack_type cve_2026_0257_kit_artifact GP-CLIENT/DESKTOP-GP01/aa:bb:cc:dd:ee:ff without the cookie # Form fields to flag in /ssl-vpn/login.esp + /global-protect/login.esp bodies form_re (?:^|&)portal-(?:prelogon)?userauthcookie=[A-Za-z0-9+/=%]+ form_value computer=GP-CLIENT (Linux, 2026-05-17 wave) form_value computer=DESKTOP-GP01 (Windows, 2026-05-21 wave) form_subseq aa:bb:cc:dd:ee:ff (spoofed MAC, both waves) # Rapid7-tracked actor IPs (Vultr + Dromatics) ip 104.207.144.154 wave-1 host ip 146.19.216.119 wave-1+2 host range ip 146.19.216.120 wave-1+2 host range ip 146.19.216.125 wave-1+2 host range # Affected PAN-OS versions pan_os 12.1 < 12.1.4-h6, 12.1 < 12.1.7 pan_os 11.2 < 11.2.4-h17, 11.2 < 11.2.7-h14, 11.2 < 11.2.10-h7, 11.2 < 11.2.12 pan_os 11.1 < 11.1.15 pan_os 10.2 < 10.2.18-h6 prisma 11.2.0 < 11.2.7-h13, 10.2.0 < 10.2.10-h36

What we expect to see

First wave on the public IPv4 sensor (sensor3 / slim). The Rapid7 IOCs are Vultr / Dromatics hosts — commodity cloud providers from which mass scans propagate fast. Expect the first 9026331 firing within 24-72 hours simply because those source IPs keep cycling targets while the wave is hot.
Cross-vector pivot from CVE-2026-0300. The PA-OS captive-portal hunt that’s been running since 2026-05-06 (T+17 today) has tracked actors who lazily test every PA endpoint in sequence — the rondo operator’s atomicmail UA is the calling card. If they add CVE-2026-0257 to the rotation, we’ll see the cookie POST from a source whose /php/login.php traffic we already have indexed. That cross-product is the actor-cluster signal we care about more than any individual firing.
The kit-artifact strings may rotate. GP-CLIENT and DESKTOP-GP01 are distinctive enough that any actor reading Rapid7’s writeup will change them within hours. Watch SID 9026330 (cookie field match) for the steady-state; 9026332 (string match) will give us the first-wave volume then quiet down.
The Rapid7 PoC will spawn copy-cats. Once forge_cookie.py propagates into Metasploit modules and shell-script wrappers on GitHub, the wave volume jumps. Day 1-3 expected to be wave-1 only; day 4+ is when the long-tail commodity scanners join.

Why we don’t run vulnerable PAN-OS

We deliberately don’t terminate the auth-override flow on a real-or-near-real PAN-OS build. The exploit primitive issues a valid GlobalProtect tunnel session; standing up an actual vulnerable PAN-OS and letting attackers establish tunnels would be giving them a pivot platform, not capturing intent. Our PA honeypot answers the /login.esp POST with the canonical auth-cookie XML response (a plausible <jnlp> blob with a random cookie value) so the attacker’s tooling marks the target as compromised and moves on to the next step in its sequence — which is also captured.

Status & Next Steps

Daily review cadence as long as the hunt is open — same playbook as the CVE-2026-0300 hunt, CVE-2026-42945 NGINX Rift hunt, and CVE-2026-23918 Apache mod_http2 hunt. First real firing closes the day-0 watch and starts the live observation period. Two reserved SIDs (9026333, 9026334) will land in a future rev:2 with Suricata flowint to track the cookie-POST → getconfig.esp → tunnel-setup multi-request handshake.

§ 2026-05-31 · Day 1 review — zero firings, zero Rapid7-IOC traffic, zero forged-cookie POSTs

First full 24-hour window since the bait went live on 2026-05-30 morning. Zero firings of SIDs 9026330–9026332 across all three sensors, zero cve_2026_0257_authbypass classifier hits in the PA honeypot, zero connections from any of the four Rapid7-tracked actor IPs (104.207.144.154, 146.19.216.119/120/125). The new hunt is silent.

That’s an honest day-1 result rather than a surprising one. The Rapid7 writeup tracked the wave-1 / wave-2 windows on 2026-05-17 and 2026-05-21 respectively; by the time CISA added CVE-2026-0257 to the KEV catalog on 2026-05-29 and we stood up coverage on 2026-05-30, the initial high-volume push from the Vultr+Dromatics hosts was already over. We deliberately opened the hunt anyway because:

The Rapid7 PoC propagates. Public exploit code lowers the skill floor by an order of magnitude. Wave-3 from commodity scanners and Metasploit-module copy-cats is the expected next stage.
The cookie-field signature has near-zero FP. No benign GP client sends portal-(prelogon)userauthcookie to a fresh /login.esp POST. So whenever the next wave arrives — tomorrow, next week, next month — we catch it cleanly.
Polyglot scanners will add this to their rotation. The same rondo-class operator we just tracked returning via Tor at T+18 for the captive-portal CVE has a documented pattern of sweeping every PAN-OS endpoint they know about. CVE-2026-0257 is now on every defender’s list, so it’s also on every attacker’s list.

Notable cross-thread: the T+18 PAN-OS captive-portal wave that broke the silence streak on the CVE-2026-0300 hunt this morning came from four Tor exit IPs — none of which match any of the Rapid7 CVE-2026-0257 IOCs. The CVE-2026-0300 and CVE-2026-0257 hunts both target the same product (PAN-OS) but the two operator clusters running active campaigns against them today are disjoint. That’s a useful baseline: the rondo-class kit is a captive-portal-BoF specialist, and the CVE-2026-0257 actors are an auth-bypass-cookie specialist. Same vendor, different rooms.

Continuing daily reviews. Day-2 expectation: still silent on 9026330-9026332, watching for the first commodity-scanner pickup once the Rapid7 PoC starts propagating into wider tooling.

§ 2026-06-03 · Day 4 review — silence holds, zero firings, zero Rapid7-IOC traffic, zero forged-cookie POSTs

Three more clean days. Zero firings on SIDs 9026330–9026332 across all three sensors. Zero cve_2026_0257_authbypass classifier hits on the PA honeypot. Zero connections from any Rapid7-tracked actor IP (104.207.144.154, 146.19.216.119/120/125) on any port.

Six days since the Rapid7 writeup, four days since we stood up coverage, and the wave-3 commodity-scanner pickup we were watching for still hasn’t arrived. The PoC at github.com/sfewer-r7/CVE-2026-0257 hasn’t propagated into Metasploit modules yet (last public commit on that repo is 2026-05-29). Until it does, the cookie-forgery PoC stays in the hands of the original rapid-prototype operators — who already worked through their target list in wave-1 (2026-05-17) and wave-2 (2026-05-21).

Notable absence: the T+18 PAN-OS captive-portal wave that broke the CVE-2026-0300 hunt’s silence streak came from four Tor exit IPs. None of them attempted CVE-2026-0257. That’s consistent with the day-1 observation that the rondo-class kit operators and the CVE-2026-0257 operators are disjoint clusters. Three more days of telemetry support the same framing: same vendor (PAN-OS), different operator specialisations, no observed pivot from one CVE to the other.

Continuing daily reviews. Watching specifically for: (a) wave-3 from Metasploit-module copy-cats once the PoC propagates, (b) any rondo-class actor IP pivoting to a forged-cookie POST (none observed so far), (c) the disjoint-cluster baseline holding through more T+N events on CVE-2026-0300.

Parallel-thread: CVE-2026-0300 T+21 three-day silence streak; NGINX Rift day 10 Spark-Tor FP; Apache mod_http2 day 6 wide-port-scanner FP on 9026502.