rapid7.2026.cve-2026-0257-globalprotect-auth-override-cookie-abuse
CVE-2026-0257: threat-actor source IPs to forged GlobalProtect authentication-override cookie and internal VPN access
IIM chain built from the original Rapid7 report published on 2026-05-29 and included here as an accepted follow-up for the 2026-05-31 request. Rapid7 observed exploitation of CVE-2026-0257 against PAN-OS / Prisma Access GlobalProtect deployments where authentication override cookies were enabled and a reusable certificate configuration exposed a usable public key. Threat actors from four published source IPs used forged portal-userauthcookie or portal-prelogonuserauthcookie values against /ssl-vpn/login.esp, achieved successful cookie-authenticated admin logins, and in a subset of observed cases received VPN assignment and internal-network access. No malware payload, dropper URL, or external C2 panel is published, so this chain models edge-access abuse rather than a traditional delivery-to-C2 malware chain.
Infrastructure map
Role-based chain map
Chain storyline
ordered IIM positionsip
104.207.144.154
ip
146.19.216.119
ip
146.19.216.120
ip
146.19.216.125
url
/ssl-vpn/login.esp on affected GlobalProtect portal/gateway
certificate
Reused certificate/public key from affected GlobalProtect certificate chain
file
Forged GlobalProtect authentication-override cookie (portal-userauthcookie / portal-prelogonuserauthcookie)
file
Successful cookie-authenticated GlobalProtect admin login session (examples: GP-CLIENT, DESKTOP-GP01, spoofed MAC aa:bb:cc:dd:ee:ff)
file
VPN-assigned internal-network access after successful cookie authentication (subset of victims)
Relations
directed infrastructure edgese001connecte005
confirmed
e002connecte005
confirmed
e003connecte005
confirmed
e004connecte005
confirmed
e005referencese006
confirmed
e006referencese007
confirmed
e007connecte005
confirmed
e005executee008
confirmed
e008connecte009
confirmed
Entities & evidence
observable inventory| ID | Type | Value | Source / evidence |
|---|---|---|---|
e001 |
ip | 104.207.144.154 |
Rapid7 observed successful cookie-authenticated local admin logon activity from 104.207.144.154 during the first wave. Rapid7 IOC table labels 104.207.144.154 as a threat actor source IP. |
e002 |
ip | 146.19.216.119 |
Rapid7 IOC table labels 146.19.216.119 as a threat actor source IP. Rapid7 states the second wave originated from Dromatics Systems. |
e003 |
ip | 146.19.216.120 |
Rapid7 IOC table labels 146.19.216.120 as a threat actor source IP. Rapid7 states the second wave originated from Dromatics Systems. |
e004 |
ip | 146.19.216.125 |
Rapid7 publishes a log entry showing DESKTOP-GP01 logging in from 146.19.216.125 via Cookie authentication as admin. Rapid7 IOC table labels 146.19.216.125 as a threat actor source IP. |
e005 |
url | /ssl-vpn/login.esp on affected GlobalProtect portal/gateway |
Rapid7 states that portal-userauthcookie or portal-prelogonuserauthcookie values are processed during POST requests to /ssl-vpn/login.esp. Rapid7 validated successful proof-of-concept exploitation against the vulnerable GlobalProtect authentication endpoint. |
e006 |
certificate | Reused certificate/public key from affected GlobalProtect certificate chain |
Rapid7 explains that if the certificate used to encrypt and decrypt authentication override cookies is reused with HTTPS or another feature, an attacker can learn the public key. Rapid7 demonstrates forging cookies with the public key from the certificate chain in its proof-of-concept. |
e007 |
file | Forged GlobalProtect authentication-override cookie (portal-userauthcookie / portal-prelogonuserauthcookie) |
Rapid7 states forged authentication override cookies were used in real-world exploitation. Rapid7 explains the affected code trusts decrypted cookie content without post-decryption signature verification. |
e008 |
file | Successful cookie-authenticated GlobalProtect admin login session (examples: GP-CLIENT, DESKTOP-GP01, spoofed MAC aa:bb:cc:dd:ee:ff) |
Rapid7 publishes multiple successful gateway-auth Cookie login examples using the admin account. Rapid7 notes GP-CLIENT for Linux authentications, DESKTOP-GP01 for Windows authentications, and the spoofed MAC aa:bb:cc:dd:ee:ff in both waves. |
e009 |
file | VPN-assigned internal-network access after successful cookie authentication (subset of victims) |
Rapid7 states the second wave included VPN IP assignment following cookie authentication, granting internal-network access. Rapid7 says 8 out of 10 impacted MDR customers saw accepted forged-cookie authentication without a full VPN session, implying internal access only on a subset. |
ATT&CK annotations
optional complementary mappingRapid7 attributes the activity to exploitation of the GlobalProtect authentication bypass vulnerability CVE-2026-0257.
The target service is the externally exposed GlobalProtect VPN portal/gateway.
The forged-cookie abuse produces trusted admin logon behavior without normal credential reauthentication.
Raw IIM JSON canonical body from MANTIS expand
{
"iim_version": "1.1",
"chain_id": "rapid7.2026.cve-2026-0257-globalprotect-auth-override-cookie-abuse",
"title": "CVE-2026-0257: threat-actor source IPs to forged GlobalProtect authentication-override cookie and internal VPN access",
"description": "IIM chain built from the original Rapid7 report published on 2026-05-29 and included here as an accepted follow-up for the 2026-05-31 request. Rapid7 observed exploitation of CVE-2026-0257 against PAN-OS / Prisma Access GlobalProtect deployments where authentication override cookies were enabled and a reusable certificate configuration exposed a usable public key. Threat actors from four published source IPs used forged portal-userauthcookie or portal-prelogonuserauthcookie values against /ssl-vpn/login.esp, achieved successful cookie-authenticated admin logins, and in a subset of observed cases received VPN assignment and internal-network access. No malware payload, dropper URL, or external C2 panel is published, so this chain models edge-access abuse rather than a traditional delivery-to-C2 malware chain.",
"actor_id": "unknown",
"observed_at": "2026-05-29T00:00:00Z",
"confidence": "confirmed",
"needs_review": false,
"import_source": "manual-osint-report-to-iim-conversion",
"x_source": {
"title": "Rapid7 Observed Exploitation of PAN-OS GlobalProtect Authentication Bypass Vulnerability (CVE-2026-0257)",
"publisher": "Rapid7",
"author": "Rapid7",
"url": "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/",
"published_at": "2026-05-29",
"accessed_at": "2026-05-31T19:00:18.390040+00:00",
"source_type": "original vendor threat research / incident reporting",
"source_policy": "Only the original Rapid7 article was used. No secondary summaries were used for chain content."
},
"x_source_title": "CVE-2026-0257: threat-actor source IPs to forged GlobalProtect authentication-override cookie and internal VPN access",
"x_source_url": "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/",
"x_resource_links_verified": [
{
"url": "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/",
"status": "opened via web retrieval",
"verified_at": "2026-05-31T19:00:18.390040+00:00",
"notes": "Verified publication date, source IP IOC list, login-log examples, /ssl-vpn/login.esp cookie flow, forged-cookie abuse using certificate public keys, and subset internal VPN access."
}
],
"x_iocs": {
"ips": [
"104.207.144.154",
"146.19.216.119",
"146.19.216.120",
"146.19.216.125"
],
"urls": [
"/ssl-vpn/login.esp"
],
"files": [
"Forged portal-userauthcookie",
"Forged portal-prelogonuserauthcookie"
],
"hostnames": [
"GP-CLIENT",
"DESKTOP-GP01"
],
"mac_addresses": [
"aa:bb:cc:dd:ee:ff"
]
},
"x_limitations": [
"Rapid7 does not publish victim portal or gateway hostnames, domains, or target IPs. The /ssl-vpn/login.esp node is therefore modeled generically as the affected GlobalProtect authentication endpoint.",
"Rapid7 publishes threat-actor source IPs and successful cookie-authentication behavior but no malware payload, dropper, or external C2. The chain is intentionally modeled as edge-access infrastructure abuse rather than malware delivery.",
"Rapid7 demonstrates a lab proof-of-concept using a certificate chain and a forged cookie. The exact real-world certificate subjects for victim environments are not published; the certificate node therefore remains generic.",
"VPN assignment occurred only on a subset of impacted customers according to Rapid7. The final VPN-access node is modeled as confirmed but with this subset caveat."
],
"entities": [
{
"id": "e001",
"type": "ip",
"value": "104.207.144.154",
"observed_at": "2026-05-18T01:51:37Z",
"source": "Rapid7: CVE-2026-0257 exploitation report (published 2026-05-29)",
"evidence": [
"Rapid7 observed successful cookie-authenticated local admin logon activity from 104.207.144.154 during the first wave.",
"Rapid7 IOC table labels 104.207.144.154 as a threat actor source IP."
],
"x_reference_url": "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/",
"x_hosting_provider_context": "Vultr",
"x_chain_stage": "source_infrastructure"
},
{
"id": "e002",
"type": "ip",
"value": "146.19.216.119",
"observed_at": "2026-05-21T00:00:00Z",
"source": "Rapid7: CVE-2026-0257 exploitation report (published 2026-05-29)",
"evidence": [
"Rapid7 IOC table labels 146.19.216.119 as a threat actor source IP.",
"Rapid7 states the second wave originated from Dromatics Systems."
],
"x_reference_url": "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/",
"x_hosting_provider_context": "Dromatics Systems",
"x_chain_stage": "source_infrastructure"
},
{
"id": "e003",
"type": "ip",
"value": "146.19.216.120",
"observed_at": "2026-05-21T00:00:00Z",
"source": "Rapid7: CVE-2026-0257 exploitation report (published 2026-05-29)",
"evidence": [
"Rapid7 IOC table labels 146.19.216.120 as a threat actor source IP.",
"Rapid7 states the second wave originated from Dromatics Systems."
],
"x_reference_url": "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/",
"x_hosting_provider_context": "Dromatics Systems",
"x_chain_stage": "source_infrastructure"
},
{
"id": "e004",
"type": "ip",
"value": "146.19.216.125",
"observed_at": "2026-05-21T01:54:39Z",
"source": "Rapid7: CVE-2026-0257 exploitation report (published 2026-05-29)",
"evidence": [
"Rapid7 publishes a log entry showing DESKTOP-GP01 logging in from 146.19.216.125 via Cookie authentication as admin.",
"Rapid7 IOC table labels 146.19.216.125 as a threat actor source IP."
],
"x_reference_url": "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/",
"x_hosting_provider_context": "Dromatics Systems",
"x_chain_stage": "source_infrastructure"
},
{
"id": "e005",
"type": "url",
"value": "/ssl-vpn/login.esp on affected GlobalProtect portal/gateway",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Rapid7: CVE-2026-0257 exploitation report (published 2026-05-29)",
"evidence": [
"Rapid7 states that portal-userauthcookie or portal-prelogonuserauthcookie values are processed during POST requests to /ssl-vpn/login.esp.",
"Rapid7 validated successful proof-of-concept exploitation against the vulnerable GlobalProtect authentication endpoint."
],
"x_reference_url": "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/",
"x_http_method": "POST",
"x_port": 443,
"x_chain_stage": "victim_exposed_auth_endpoint"
},
{
"id": "e006",
"type": "certificate",
"value": "Reused certificate/public key from affected GlobalProtect certificate chain",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Rapid7: CVE-2026-0257 exploitation report (published 2026-05-29)",
"evidence": [
"Rapid7 explains that if the certificate used to encrypt and decrypt authentication override cookies is reused with HTTPS or another feature, an attacker can learn the public key.",
"Rapid7 demonstrates forging cookies with the public key from the certificate chain in its proof-of-concept."
],
"x_reference_url": "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/",
"x_chain_stage": "public_key_enabler"
},
{
"id": "e007",
"type": "file",
"value": "Forged GlobalProtect authentication-override cookie (portal-userauthcookie / portal-prelogonuserauthcookie)",
"observed_at": "2026-05-29T00:00:00Z",
"source": "Rapid7: CVE-2026-0257 exploitation report (published 2026-05-29)",
"evidence": [
"Rapid7 states forged authentication override cookies were used in real-world exploitation.",
"Rapid7 explains the affected code trusts decrypted cookie content without post-decryption signature verification."
],
"x_reference_url": "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/",
"x_cookie_parameters": [
"portal-userauthcookie",
"portal-prelogonuserauthcookie"
],
"x_chain_stage": "forged_auth_artifact"
},
{
"id": "e008",
"type": "file",
"value": "Successful cookie-authenticated GlobalProtect admin login session (examples: GP-CLIENT, DESKTOP-GP01, spoofed MAC aa:bb:cc:dd:ee:ff)",
"observed_at": "2026-05-18T01:51:37Z",
"source": "Rapid7: CVE-2026-0257 exploitation report (published 2026-05-29)",
"evidence": [
"Rapid7 publishes multiple successful gateway-auth Cookie login examples using the admin account.",
"Rapid7 notes GP-CLIENT for Linux authentications, DESKTOP-GP01 for Windows authentications, and the spoofed MAC aa:bb:cc:dd:ee:ff in both waves."
],
"x_reference_url": "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/",
"x_observed_hostnames": [
"GP-CLIENT",
"DESKTOP-GP01"
],
"x_spoofed_mac": "aa:bb:cc:dd:ee:ff",
"x_chain_stage": "authenticated_access"
},
{
"id": "e009",
"type": "file",
"value": "VPN-assigned internal-network access after successful cookie authentication (subset of victims)",
"observed_at": "2026-05-21T00:00:00Z",
"source": "Rapid7: CVE-2026-0257 exploitation report (published 2026-05-29)",
"evidence": [
"Rapid7 states the second wave included VPN IP assignment following cookie authentication, granting internal-network access.",
"Rapid7 says 8 out of 10 impacted MDR customers saw accepted forged-cookie authentication without a full VPN session, implying internal access only on a subset."
],
"x_reference_url": "https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/",
"x_subset_caveat": "Observed only on a subset of impacted customers.",
"x_chain_stage": "post-auth_network_access"
}
],
"chain": [
{
"entity_id": "e001",
"role": "entry",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e002",
"role": "entry",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e003",
"role": "entry",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e004",
"role": "entry",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e005",
"role": "redirector",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e006",
"role": "staging",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e007",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e008",
"role": "payload",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
},
{
"entity_id": "e009",
"role": "c2",
"techniques": [],
"role_confidence": "confirmed",
"technique_confidence": "confirmed",
"needs_review": false
}
],
"relations": [
{
"from": "e001",
"to": "e005",
"type": "connect",
"sequence_order": 1,
"observed_at": "2026-05-18T01:51:37Z",
"confidence": "confirmed",
"x_evidence": [
"Rapid7 observed 104.207.144.154 authenticating to the GlobalProtect gateway via Cookie authentication.",
"https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/"
]
},
{
"from": "e002",
"to": "e005",
"type": "connect",
"sequence_order": 2,
"observed_at": "2026-05-21T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"Rapid7 lists 146.19.216.119 as a threat actor source IP used in the second wave.",
"https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/"
]
},
{
"from": "e003",
"to": "e005",
"type": "connect",
"sequence_order": 3,
"observed_at": "2026-05-21T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"Rapid7 lists 146.19.216.120 as a threat actor source IP used in the second wave.",
"https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/"
]
},
{
"from": "e004",
"to": "e005",
"type": "connect",
"sequence_order": 4,
"observed_at": "2026-05-21T01:54:39Z",
"confidence": "confirmed",
"x_evidence": [
"Rapid7 publishes a successful Cookie authentication log example from 146.19.216.125.",
"https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/"
]
},
{
"from": "e005",
"to": "e006",
"type": "references",
"sequence_order": 5,
"observed_at": "2026-05-29T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"Rapid7 explains that the relevant certificate chain can expose the public key needed to forge authentication-override cookies.",
"https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/"
]
},
{
"from": "e006",
"to": "e007",
"type": "references",
"sequence_order": 6,
"observed_at": "2026-05-29T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"Rapid7 demonstrates forging an authentication-override cookie using a certificate public key from the TLS chain.",
"https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/"
]
},
{
"from": "e007",
"to": "e005",
"type": "connect",
"sequence_order": 7,
"observed_at": "2026-05-29T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"Rapid7 states that portal-userauthcookie or portal-prelogonuserauthcookie values supplied to /ssl-vpn/login.esp trigger cookie-based authentication.",
"https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/"
]
},
{
"from": "e005",
"to": "e008",
"type": "execute",
"sequence_order": 8,
"observed_at": "2026-05-18T01:51:37Z",
"confidence": "confirmed",
"x_evidence": [
"Rapid7 observed successful admin Cookie logins after forged-cookie abuse.",
"https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/"
]
},
{
"from": "e008",
"to": "e009",
"type": "connect",
"sequence_order": 9,
"observed_at": "2026-05-21T00:00:00Z",
"confidence": "confirmed",
"x_evidence": [
"Rapid7 states that in the second wave a subset of successful Cookie-authenticated sessions received VPN IP assignment and internal-network access.",
"https://www.rapid7.com/blog/post/etr-rapid7-observed-exploitation-of-pan-os-globalprotect-authentication-bypass-vulnerability-cve-2026-0257/"
]
}
],
"attack_annotations": [
{
"technique_id": "T1190",
"name": "Exploit Public-Facing Application",
"tactic": "Initial Access",
"comment": "Rapid7 attributes the activity to exploitation of the GlobalProtect authentication bypass vulnerability CVE-2026-0257."
},
{
"technique_id": "T1133",
"name": "External Remote Services",
"tactic": "Initial Access",
"comment": "The target service is the externally exposed GlobalProtect VPN portal/gateway."
},
{
"technique_id": "T1078",
"name": "Valid Accounts",
"tactic": "Defense Evasion",
"comment": "The forged-cookie abuse produces trusted admin logon behavior without normal credential reauthentication."
}
]
}