← feed

rapid7.2026.cve-2026-0257-globalprotect-auth-override-cookie-abuse

CVE-2026-0257: threat-actor source IPs to forged GlobalProtect authentication-override cookie and internal VPN access

IIM chain built from the original Rapid7 report published on 2026-05-29 and included here as an accepted follow-up for the 2026-05-31 request. Rapid7 observed exploitation of CVE-2026-0257 against PAN-OS / Prisma Access GlobalProtect deployments where authentication override cookies were enabled and a reusable certificate configuration exposed a usable public key. Threat actors from four published source IPs used forged portal-userauthcookie or portal-prelogonuserauthcookie values against /ssl-vpn/login.esp, achieved successful cookie-authenticated admin logins, and in a subset of observed cases received VPN assignment and internal-network access. No malware payload, dropper URL, or external C2 panel is published, so this chain models edge-access abuse rather than a traditional delivery-to-C2 malware chain.

confirmed IIM v1.1 unknown
Raw JSON
entities9
relations9
techniques0
published2026-05-31 19:08:44

Infrastructure map

Role-based chain map

click nodes or numbered relations to inspect the infrastructure path
entryredirectorstagingpayloadc2

Chain storyline

ordered IIM positions
1
entry

ip

104.207.144.154

2
entry

ip

146.19.216.119

3
entry

ip

146.19.216.120

4
entry

ip

146.19.216.125

5
redirector

url

/ssl-vpn/login.esp on affected GlobalProtect portal/gateway

6
staging

certificate

Reused certificate/public key from affected GlobalProtect certificate chain

7
payload

file

Forged GlobalProtect authentication-override cookie (portal-userauthcookie / portal-prelogonuserauthcookie)

8
payload

file

Successful cookie-authenticated GlobalProtect admin login session (examples: GP-CLIENT, DESKTOP-GP01, spoofed MAC aa:bb:cc:dd:ee:ff)

9
c2

file

VPN-assigned internal-network access after successful cookie authentication (subset of victims)

Relations

directed infrastructure edges
e001connecte005 confirmed
e002connecte005 confirmed
e003connecte005 confirmed
e004connecte005 confirmed
e005referencese006 confirmed
e006referencese007 confirmed
e007connecte005 confirmed
e005executee008 confirmed
e008connecte009 confirmed

Entities & evidence

observable inventory
IDTypeValueSource / evidence
e001 ip 104.207.144.154
Rapid7 observed successful cookie-authenticated local admin logon activity from 104.207.144.154 during the first wave.
Rapid7 IOC table labels 104.207.144.154 as a threat actor source IP.
e002 ip 146.19.216.119
Rapid7 IOC table labels 146.19.216.119 as a threat actor source IP.
Rapid7 states the second wave originated from Dromatics Systems.
e003 ip 146.19.216.120
Rapid7 IOC table labels 146.19.216.120 as a threat actor source IP.
Rapid7 states the second wave originated from Dromatics Systems.
e004 ip 146.19.216.125
Rapid7 publishes a log entry showing DESKTOP-GP01 logging in from 146.19.216.125 via Cookie authentication as admin.
Rapid7 IOC table labels 146.19.216.125 as a threat actor source IP.
e005 url /ssl-vpn/login.esp on affected GlobalProtect portal/gateway
Rapid7 states that portal-userauthcookie or portal-prelogonuserauthcookie values are processed during POST requests to /ssl-vpn/login.esp.
Rapid7 validated successful proof-of-concept exploitation against the vulnerable GlobalProtect authentication endpoint.
e006 certificate Reused certificate/public key from affected GlobalProtect certificate chain
Rapid7 explains that if the certificate used to encrypt and decrypt authentication override cookies is reused with HTTPS or another feature, an attacker can learn the public key.
Rapid7 demonstrates forging cookies with the public key from the certificate chain in its proof-of-concept.
e007 file Forged GlobalProtect authentication-override cookie (portal-userauthcookie / portal-prelogonuserauthcookie)
Rapid7 states forged authentication override cookies were used in real-world exploitation.
Rapid7 explains the affected code trusts decrypted cookie content without post-decryption signature verification.
e008 file Successful cookie-authenticated GlobalProtect admin login session (examples: GP-CLIENT, DESKTOP-GP01, spoofed MAC aa:bb:cc:dd:ee:ff)
Rapid7 publishes multiple successful gateway-auth Cookie login examples using the admin account.
Rapid7 notes GP-CLIENT for Linux authentications, DESKTOP-GP01 for Windows authentications, and the spoofed MAC aa:bb:cc:dd:ee:ff in both waves.
e009 file VPN-assigned internal-network access after successful cookie authentication (subset of victims)
Rapid7 states the second wave included VPN IP assignment following cookie authentication, granting internal-network access.
Rapid7 says 8 out of 10 impacted MDR customers saw accepted forged-cookie authentication without a full VPN session, implying internal access only on a subset.

ATT&CK annotations

optional complementary mapping
T1190Exploit Public-Facing Application

Rapid7 attributes the activity to exploitation of the GlobalProtect authentication bypass vulnerability CVE-2026-0257.

T1133External Remote Services

The target service is the externally exposed GlobalProtect VPN portal/gateway.

T1078Valid Accounts

The forged-cookie abuse produces trusted admin logon behavior without normal credential reauthentication.

Raw IIM JSON canonical body from MANTIS expand
{
  "iim_version": "1.1",
  "chain_id": "rapid7.2026.cve-2026-0257-globalprotect-auth-override-cookie-abuse",
  "title": "CVE-2026-0257: threat-actor source IPs to forged GlobalProtect authentication-override cookie and internal VPN access",
  "description": "IIM chain built from the original Rapid7 report published on 2026-05-29 and included here as an accepted follow-up for the 2026-05-31 request. Rapid7 observed exploitation of CVE-2026-0257 against PAN-OS / Prisma Access GlobalProtect deployments where authentication override cookies were enabled and a reusable certificate configuration exposed a usable public key. Threat actors from four published source IPs used forged portal-userauthcookie or portal-prelogonuserauthcookie values against /ssl-vpn/login.esp, achieved successful cookie-authenticated admin logins, and in a subset of observed cases received VPN assignment and internal-network access. No malware payload, dropper URL, or external C2 panel is published, so this chain models edge-access abuse rather than a traditional delivery-to-C2 malware chain.",
  "actor_id": "unknown",
  "observed_at": "2026-05-29T00:00:00Z",
  "confidence": "confirmed",
  "needs_review": false,
  "import_source": "manual-osint-report-to-iim-conversion",
  "x_source": {
    "title": "Rapid7 Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257)",
    "publisher": "Rapid7",
    "author": "Rapid7",
    "url": "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/",
    "published_at": "2026-05-29",
    "accessed_at": "2026-05-31T19:00:18.390040+00:00",
    "source_type": "original vendor threat research / incident reporting",
    "source_policy": "Only the original Rapid7 article was used. No secondary summaries were used for chain content."
  },
  "x_source_title": "CVE-2026-0257: threat-actor source IPs to forged GlobalProtect authentication-override cookie and internal VPN access",
  "x_source_url": "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/",
  "x_resource_links_verified": [
    {
      "url": "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/",
      "status": "opened via web retrieval",
      "verified_at": "2026-05-31T19:00:18.390040+00:00",
      "notes": "Verified publication date, source IP IOC list, login-log examples, /ssl-vpn/login.esp cookie flow, forged-cookie abuse using certificate public keys, and subset internal VPN access."
    }
  ],
  "x_iocs": {
    "ips": [
      "104.207.144.154",
      "146.19.216.119",
      "146.19.216.120",
      "146.19.216.125"
    ],
    "urls": [
      "/ssl-vpn/login.esp"
    ],
    "files": [
      "Forged portal-userauthcookie",
      "Forged portal-prelogonuserauthcookie"
    ],
    "hostnames": [
      "GP-CLIENT",
      "DESKTOP-GP01"
    ],
    "mac_addresses": [
      "aa:bb:cc:dd:ee:ff"
    ]
  },
  "x_limitations": [
    "Rapid7 does not publish victim portal or gateway hostnames, domains, or target IPs. The /ssl-vpn/login.esp node is therefore modeled generically as the affected GlobalProtect authentication endpoint.",
    "Rapid7 publishes threat-actor source IPs and successful cookie-authentication behavior but no malware payload, dropper, or external C2. The chain is intentionally modeled as edge-access infrastructure abuse rather than malware delivery.",
    "Rapid7 demonstrates a lab proof-of-concept using a certificate chain and a forged cookie. The exact real-world certificate subjects for victim environments are not published; the certificate node therefore remains generic.",
    "VPN assignment occurred only on a subset of impacted customers according to Rapid7. The final VPN-access node is modeled as confirmed but with this subset caveat."
  ],
  "entities": [
    {
      "id": "e001",
      "type": "ip",
      "value": "104.207.144.154",
      "observed_at": "2026-05-18T01:51:37Z",
      "source": "Rapid7: CVE-2026-0257 exploitation report (published 2026-05-29)",
      "evidence": [
        "Rapid7 observed successful cookie-authenticated local admin logon activity from 104.207.144.154 during the first wave.",
        "Rapid7 IOC table labels 104.207.144.154 as a threat actor source IP."
      ],
      "x_reference_url": "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/",
      "x_hosting_provider_context": "Vultr",
      "x_chain_stage": "source_infrastructure"
    },
    {
      "id": "e002",
      "type": "ip",
      "value": "146.19.216.119",
      "observed_at": "2026-05-21T00:00:00Z",
      "source": "Rapid7: CVE-2026-0257 exploitation report (published 2026-05-29)",
      "evidence": [
        "Rapid7 IOC table labels 146.19.216.119 as a threat actor source IP.",
        "Rapid7 states the second wave originated from Dromatics Systems."
      ],
      "x_reference_url": "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/",
      "x_hosting_provider_context": "Dromatics Systems",
      "x_chain_stage": "source_infrastructure"
    },
    {
      "id": "e003",
      "type": "ip",
      "value": "146.19.216.120",
      "observed_at": "2026-05-21T00:00:00Z",
      "source": "Rapid7: CVE-2026-0257 exploitation report (published 2026-05-29)",
      "evidence": [
        "Rapid7 IOC table labels 146.19.216.120 as a threat actor source IP.",
        "Rapid7 states the second wave originated from Dromatics Systems."
      ],
      "x_reference_url": "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/",
      "x_hosting_provider_context": "Dromatics Systems",
      "x_chain_stage": "source_infrastructure"
    },
    {
      "id": "e004",
      "type": "ip",
      "value": "146.19.216.125",
      "observed_at": "2026-05-21T01:54:39Z",
      "source": "Rapid7: CVE-2026-0257 exploitation report (published 2026-05-29)",
      "evidence": [
        "Rapid7 publishes a log entry showing DESKTOP-GP01 logging in from 146.19.216.125 via Cookie authentication as admin.",
        "Rapid7 IOC table labels 146.19.216.125 as a threat actor source IP."
      ],
      "x_reference_url": "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/",
      "x_hosting_provider_context": "Dromatics Systems",
      "x_chain_stage": "source_infrastructure"
    },
    {
      "id": "e005",
      "type": "url",
      "value": "/ssl-vpn/login.esp on affected GlobalProtect portal/gateway",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Rapid7: CVE-2026-0257 exploitation report (published 2026-05-29)",
      "evidence": [
        "Rapid7 states that portal-userauthcookie or portal-prelogonuserauthcookie values are processed during POST requests to /ssl-vpn/login.esp.",
        "Rapid7 validated successful proof-of-concept exploitation against the vulnerable GlobalProtect authentication endpoint."
      ],
      "x_reference_url": "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/",
      "x_http_method": "POST",
      "x_port": 443,
      "x_chain_stage": "victim_exposed_auth_endpoint"
    },
    {
      "id": "e006",
      "type": "certificate",
      "value": "Reused certificate/public key from affected GlobalProtect certificate chain",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Rapid7: CVE-2026-0257 exploitation report (published 2026-05-29)",
      "evidence": [
        "Rapid7 explains that if the certificate used to encrypt and decrypt authentication override cookies is reused with HTTPS or another feature, an attacker can learn the public key.",
        "Rapid7 demonstrates forging cookies with the public key from the certificate chain in its proof-of-concept."
      ],
      "x_reference_url": "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/",
      "x_chain_stage": "public_key_enabler"
    },
    {
      "id": "e007",
      "type": "file",
      "value": "Forged GlobalProtect authentication-override cookie (portal-userauthcookie / portal-prelogonuserauthcookie)",
      "observed_at": "2026-05-29T00:00:00Z",
      "source": "Rapid7: CVE-2026-0257 exploitation report (published 2026-05-29)",
      "evidence": [
        "Rapid7 states forged authentication override cookies were used in real-world exploitation.",
        "Rapid7 explains the affected code trusts decrypted cookie content without post-decryption signature verification."
      ],
      "x_reference_url": "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/",
      "x_cookie_parameters": [
        "portal-userauthcookie",
        "portal-prelogonuserauthcookie"
      ],
      "x_chain_stage": "forged_auth_artifact"
    },
    {
      "id": "e008",
      "type": "file",
      "value": "Successful cookie-authenticated GlobalProtect admin login session (examples: GP-CLIENT, DESKTOP-GP01, spoofed MAC aa:bb:cc:dd:ee:ff)",
      "observed_at": "2026-05-18T01:51:37Z",
      "source": "Rapid7: CVE-2026-0257 exploitation report (published 2026-05-29)",
      "evidence": [
        "Rapid7 publishes multiple successful gateway-auth Cookie login examples using the admin account.",
        "Rapid7 notes GP-CLIENT for Linux authentications, DESKTOP-GP01 for Windows authentications, and the spoofed MAC aa:bb:cc:dd:ee:ff in both waves."
      ],
      "x_reference_url": "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/",
      "x_observed_hostnames": [
        "GP-CLIENT",
        "DESKTOP-GP01"
      ],
      "x_spoofed_mac": "aa:bb:cc:dd:ee:ff",
      "x_chain_stage": "authenticated_access"
    },
    {
      "id": "e009",
      "type": "file",
      "value": "VPN-assigned internal-network access after successful cookie authentication (subset of victims)",
      "observed_at": "2026-05-21T00:00:00Z",
      "source": "Rapid7: CVE-2026-0257 exploitation report (published 2026-05-29)",
      "evidence": [
        "Rapid7 states the second wave included VPN IP assignment following cookie authentication, granting internal-network access.",
        "Rapid7 says 8 out of 10 impacted MDR customers saw accepted forged-cookie authentication without a full VPN session, implying internal access only on a subset."
      ],
      "x_reference_url": "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/",
      "x_subset_caveat": "Observed only on a subset of impacted customers.",
      "x_chain_stage": "post-auth_network_access"
    }
  ],
  "chain": [
    {
      "entity_id": "e001",
      "role": "entry",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e002",
      "role": "entry",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e003",
      "role": "entry",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e004",
      "role": "entry",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e005",
      "role": "redirector",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e006",
      "role": "staging",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e007",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e008",
      "role": "payload",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    },
    {
      "entity_id": "e009",
      "role": "c2",
      "techniques": [],
      "role_confidence": "confirmed",
      "technique_confidence": "confirmed",
      "needs_review": false
    }
  ],
  "relations": [
    {
      "from": "e001",
      "to": "e005",
      "type": "connect",
      "sequence_order": 1,
      "observed_at": "2026-05-18T01:51:37Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Rapid7 observed 104.207.144.154 authenticating to the GlobalProtect gateway via Cookie authentication.",
        "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/"
      ]
    },
    {
      "from": "e002",
      "to": "e005",
      "type": "connect",
      "sequence_order": 2,
      "observed_at": "2026-05-21T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Rapid7 lists 146.19.216.119 as a threat actor source IP used in the second wave.",
        "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/"
      ]
    },
    {
      "from": "e003",
      "to": "e005",
      "type": "connect",
      "sequence_order": 3,
      "observed_at": "2026-05-21T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Rapid7 lists 146.19.216.120 as a threat actor source IP used in the second wave.",
        "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/"
      ]
    },
    {
      "from": "e004",
      "to": "e005",
      "type": "connect",
      "sequence_order": 4,
      "observed_at": "2026-05-21T01:54:39Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Rapid7 publishes a successful Cookie authentication log example from 146.19.216.125.",
        "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/"
      ]
    },
    {
      "from": "e005",
      "to": "e006",
      "type": "references",
      "sequence_order": 5,
      "observed_at": "2026-05-29T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Rapid7 explains that the relevant certificate chain can expose the public key needed to forge authentication-override cookies.",
        "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/"
      ]
    },
    {
      "from": "e006",
      "to": "e007",
      "type": "references",
      "sequence_order": 6,
      "observed_at": "2026-05-29T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Rapid7 demonstrates forging an authentication-override cookie using a certificate public key from the TLS chain.",
        "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/"
      ]
    },
    {
      "from": "e007",
      "to": "e005",
      "type": "connect",
      "sequence_order": 7,
      "observed_at": "2026-05-29T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Rapid7 states that portal-userauthcookie or portal-prelogonuserauthcookie values supplied to /ssl-vpn/login.esp trigger cookie-based authentication.",
        "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/"
      ]
    },
    {
      "from": "e005",
      "to": "e008",
      "type": "execute",
      "sequence_order": 8,
      "observed_at": "2026-05-18T01:51:37Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Rapid7 observed successful admin Cookie logins after forged-cookie abuse.",
        "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/"
      ]
    },
    {
      "from": "e008",
      "to": "e009",
      "type": "connect",
      "sequence_order": 9,
      "observed_at": "2026-05-21T00:00:00Z",
      "confidence": "confirmed",
      "x_evidence": [
        "Rapid7 states that in the second wave a subset of successful Cookie-authenticated sessions received VPN IP assignment and internal-network access.",
        "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/"
      ]
    }
  ],
  "attack_annotations": [
    {
      "technique_id": "T1190",
      "name": "Exploit Public-Facing Application",
      "tactic": "Initial Access",
      "comment": "Rapid7 attributes the activity to exploitation of the GlobalProtect authentication bypass vulnerability CVE-2026-0257."
    },
    {
      "technique_id": "T1133",
      "name": "External Remote Services",
      "tactic": "Initial Access",
      "comment": "The target service is the externally exposed GlobalProtect VPN portal/gateway."
    },
    {
      "technique_id": "T1078",
      "name": "Valid Accounts",
      "tactic": "Defense Evasion",
      "comment": "The forged-cookie abuse produces trusted admin logon behavior without normal credential reauthentication."
    }
  ]
}