Rapid7 Observed Exploitation of PAN-OS GlobalProtect Authent...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257
• Blog Title: Rapid7 Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257)
• Suggested Section: Network Services Pentesting → VPN / Palo Alto GlobalProtect, or a new page under 80/443 Pentesting Web for PAN-OS GlobalProtect authentication bypasses

🎯 Content Summary

Overview

Rapid7 describes active exploitation of CVE-2026-0257, an authentication bypass in PAN-OS and Prisma Access affecting GlobalProtect portal/gateway deployments with a specific insecure configuration: GlobalProtect authentication override cookies are enabled, and the certificate used to encrypt/decrypt those cookies is reused with another feature, especially the HTTPS certificate ...

🔧 Technical Details

Public-key token forgery through encryption without authentication: The reusable trick is abusing systems that treat successful public-key decryption as proof that a token is authentic. In CVE-2026-0257, GlobalProtect authentication override cookies are encrypted with a certificate private key and then trusted after decryption, but the decrypted content is not protected by a separate signature, MAC, or authenticated encryption scheme. If an attacker can obtain the corresponding public key, they can encrypt arbitrary attacker-controlled token fields. The server decrypts the ciphertext with its private key and accepts the resulting plaintext as a valid authentication token.

Certificate reuse as key disclosure: The exploit becomes remotely practical when the certificate used for privileged cookie encryption/decryption is reused by an externally reachable feature such as the portal/gateway HTTPS service. Because TLS exposes the public certificate ...

🤖 Agent Actions

Done.

Updated:

• src/pentesting-web/hacking-with-cookies/README.md

What I added:

• A new section on public-key cookie forgery when decryption is treated as authentication
• A GlobalProtect authentication override example abstracted as a reusable technique
• Short testing ideas and hunting/detection guidance
• References to the Rapid7 blog, Palo Alto advisory, and Rapid7 PoC

Also fixed:

• An existing malformed line after a <details> block in that same file

Validation:

• Checked the diff and basic markdown structure
• Could not run mdbook build because mdbook is not installed in this environment

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257

Content Categories: Based on the analysis, this content was categorized under "Network Services Pentesting → VPN / Palo Alto GlobalProtect, or a new page under 80/443 Pentesting Web for PAN-OS GlobalProtect authentication bypasses".

Repository Maintenance:

• MD Files Formatting: 974 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0