Active Exploitation of PAN OS Authentication Flaw Targets Global Protect Gateways

Authentication Bypass Mechanism

Palo Alto Networks has confirmed active exploitation of a significant authentication bypass vulnerability affecting its PAN OS and Prisma Access products. The flaw, which was first detailed in a security advisory on May 13, targets a non default feature called authentication override. This feature allows Global Protect portals and gateways to issue session cookies to authenticated users, functioning similarly to a bearer token to prevent repeated logins during a session.

Contents

Authentication Bypass Mechanism Observed Attack Waves and Indicators

The vulnerability is triggered when the certificate used to encrypt and decrypt these authentication override cookies is also shared with another service, such as the HTTPS interface of the portal or gateway. Critically, the decryption process in the system binary performs no signature verification after decrypting the cookie. This means any attacker who can obtain the public key from an exposed HTTPS certificate can forge a valid authentication cookie and completely bypass authentication.

Observed Attack Waves and Indicators

Rapid7 identified the earliest exploitation attempts starting on May 17, with the first wave of attacks originating from IP addresses hosted on Vultr. The following day, analysts detected suspicious cookie based authentication to local admin accounts across multiple customer environments. The attacker used the machine name GP CLIENT and a spoofed MAC address to masquerade as a legitimate endpoint.

A second exploitation wave occurred on May 21, this time originating from the hosting provider Dromatics Systems, using machine name DESKTOP GP01. In this wave, some victims had full VPN IP assignments granted after the cookie authentication, giving attackers direct access to internal networks. Across both waves, the consistent spoofed MAC address suggests a single threat actor behind both campaigns. Notably, 8 out of 10 monitored customer environments saw only authentication probes, not full VPN session establishment. Indicators of compromise include specific threat actor source IPs, the spoofed MAC address, and the machine names GP CLIENT (used in the first wave) and DESKTOP GP01 (used in the second).

Source: Cyber Security News

Active Exploitation of PAN OS Authentication Flaw Targets Global Protect Gateways

Threat actors are actively exploiting an authentication bypass flaw in Palo Alto Networks PAN OS that allows forged cookies to gain unauthorized VPN access through Global Protect gateways.

Authentication Bypass Mechanism

Observed Attack Waves and Indicators

Trending

Android Malware Builder BTMOB Lets Attackers Craft Custom Phishing Apps

ChatGPT Summary Feature Exploited to Deliver Phishing Payloads

LLM Agent Automates Data Theft After Marimo Notebook Compromise

Developer Tools Turned Against Developers in Twin Supply Chain Campaigns

Phishing Attack Tricks Signal Users Into Handing Over Backup Keys

Related Stories

Massive Scanning Campaign Targets SonicWall Firewall Interfaces Worldwide

Webworm Hackers Add Discord and Microsoft Graph API Backdoors to Toolkit

Legacy Sitecore Flaw Exploited to Deliver WeepSteel Reconnaissance Malware

Attackers Link Tiny Flaws Into Lethal Chains Spanning Code and Cloud