Arctic Wolf Observes an Increase in Palo Alto Networks GlobalProtect Authentication Bypass Exploitation via CVE-2026-0257
Arctic Wolf Labs observed an ongoing campaign exploiting CVE-2026-0257, a high-severity authentication bypass vulnerability in Palo Alto Networks GlobalProtect. Threat actors are forging authentication override cookies to establish unauthorized VPN sessions, followed by rapid internal network reconnaissance using Impacket tooling.
- cve
- ip104[.]207[.]144[.]154Source IP used in the initial wave of suspicious cookie-based admin logins.
- ip179[.]43[.]172[.]213Source IP used in the initial wave of suspicious cookie-based admin logins.
- ip216[.]238[.]74[.]98Attacker IP observed successfully establishing a VPN tunnel and generating authentication errors.
Detection / HunterGoogle
What Happened
Cybercriminals are exploiting a known security flaw (CVE-2026-0257) in Palo Alto Networks VPN software to break into corporate networks without needing a password. This affects organizations using specific configurations of GlobalProtect and Prisma Access. If successful, attackers can quickly scan the internal network to find other systems to compromise. Organizations should review their VPN configurations, monitor for suspicious login patterns, and apply vendor patches immediately.
Key Takeaways
- Threat actors are actively exploiting CVE-2026-0257 to bypass authentication on Palo Alto Networks GlobalProtect and Prisma Access.
- Exploitation requires specific configurations: enabled portal/gateway, enabled authentication override cookies, and certificate reuse/exposure.
- Initial access attempts originate primarily from VPS hosting providers and Tor exit nodes, often targeting the 'admin' account.
- Successful VPN tunnel establishment is frequently followed by rapid internal SMB and NTLM reconnaissance using Impacket tooling.
Affected Systems
- Palo Alto Networks PAN-OS GlobalProtect
- Palo Alto Networks Prisma Access
Vulnerabilities (CVEs)
- CVE-2026-0257
Attack Chain
Attackers initiate the intrusion by forging authentication override cookies to bypass GlobalProtect authentication, often triggering a 'Cannot decrypt cookie' error followed by immediate success. Once authenticated, they establish an IPSec VPN tunnel to gain internal network access. Immediately after tunnel establishment, the attackers utilize Impacket tooling to conduct rapid SMB session setup requests and NTLM anonymous logons. This activity is used to enumerate network shares and discover domain users for further lateral movement.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
Arctic Wolf has deployed detections for their MDR customers, but no raw detection rules or queries are provided in the public report.
Detection Engineering Assessment
EDR Visibility: Low — Initial access and exploitation occur on the VPN appliance, which typically lacks EDR coverage. EDR will only have visibility into subsequent SMB/NTLM traffic on internal target hosts. Network Visibility: High — VPN authentication logs, tunnel establishment events, and internal SMB/NTLM traffic are highly visible at the network level. Detection Difficulty: Moderate — Requires correlating VPN authentication errors with immediate successes, and tying VPN-assigned IP addresses to rapid internal SMB activity.
Required Log Sources
- VPN authentication logs
- Firewall traffic logs
- Windows Security Event Logs (Event ID 4624)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for GlobalProtect 'portal-auth' failures with 'Cannot decrypt cookie' immediately followed by 'portal-auth' successes from the same source IP. | VPN authentication logs | Initial Access | Low |
| Consider hunting for rapid SMB session setup requests and NTLM anonymous logons originating from newly assigned VPN client IP addresses. | Network traffic logs, Windows Security Event Logs | Discovery | Medium |
| Consider hunting for successful VPN authentications using the 'admin' account originating from known VPS hosting ASNs or Tor exit nodes. | VPN authentication logs | Initial Access | Low |
Control Gaps
- Lack of MFA enforcement on VPN (bypassed by cookie forgery)
- Permissive internal network segmentation allowing VPN clients to scan all internal SMB services
Key Behavioral Indicators
- 'Cannot decrypt cookie' error messages in GlobalProtect logs
- Device names like 'kali', 'GP-CLIENT', or 'DESKTOP-GP01' in VPN logs
- Spoofed MAC address aa:bb:cc:dd:ee:ff
- Rapid NTLMSSP activity from a single VPN tunnel IP
False Positive Assessment
- Medium. Legitimate users might occasionally experience cookie decryption errors, and administrators might log in from unusual locations. However, the combination of cookie errors, immediate success, and rapid Impacket-style SMB scanning is highly indicative of malicious activity.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Evaluate whether to disable the GlobalProtect authentication override cookie feature if not strictly required.
- Consider rotating certificates used for the GlobalProtect portal and gateway to invalidate potentially forged cookies.
- Review VPN authentication logs for suspicious logins targeting the 'admin' account or originating from VPS infrastructure.
Infrastructure Hardening
- Ensure unique certificates are used for different services to prevent certificate reuse vulnerabilities.
- If applicable, restrict VPN access to expected geographic regions and block known Tor exit nodes or VPS ASNs.
- Implement network segmentation to restrict the internal access of VPN clients to only necessary services.
User Protection
- Consider enforcing multi-factor authentication (MFA) for all VPN access, though note this specific vulnerability bypasses standard auth flows.
- Monitor internal endpoints for rapid, anomalous SMB and NTLM authentication requests.
Security Awareness
- Educate network administrators on the risks of certificate reuse across multiple appliance services.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1078 - Valid Accounts
- T1133 - External Remote Services
- T1046 - Network Service Discovery
- T1087.002 - Account Discovery: Domain Account
- T1049 - System Network Connections Discovery
Additional IOCs
- Other:
aa:bb:cc:dd:ee:ff- Spoofed MAC address observed in suspicious VPN connections.
