The CVE-2026-0257 authentication bypass enables an attacker to authenticate to a GlobalProtect VPN gateway without valid credentials. Once authenticated, the attacker has VPN access to the internal network segments reachable through the gateway. Applying the patch closes the authentication bypass β it does not retroactively remove access that was established during the exposure window. Threat hunting for pre-patch compromise is a necessary step for any organisation that ran a vulnerable gateway with internet exposure.
Log Sources for GlobalProtect Investigation
GlobalProtect Authentication Logs (monitor > logs > globalprotect): The primary log source for identifying anomalous authentication events. Columns of interest:
auth-method: Legitimate corporate users typically authenticate via SAML, certificate, or RADIUS. An authentication bypass using cookie forgery may appear with an unusual or missing auth-method value.srcip: Source IP addresses for successful VPN sessions. Flag any sessions from IP addresses in unexpected geographies, data centre IP ranges (as opposed to residential/mobile ISP ranges), or known threat actor infrastructure.gateway: The specific GlobalProtect gateway that processed the session. Identifies which gateway component was reached.
Traffic Logs (monitor > logs > traffic): After establishing a VPN session via the bypass, the attacker begins lateral movement into the internal network. Review traffic logs for sessions originating from GlobalProtect client IP pool addresses at unusual times or generating unusual volumes.
System Logs (monitor > logs > system): Configuration changes, administrative access events, and session management events are recorded in system logs. Check for any configuration changes made during the exposure window that were not authorised.
PAN-OS Operational Commands for Session Review:
show globalprotect-gateway current-user
show globalprotect-gateway statistics
show globalprotect-gateway tunnelIndicators of CVE-2026-0257 Exploitation
Authentication without a corresponding auth event in identity provider logs: CVE-2026-0257 bypasses PAN-OS authentication β the credential validation against your identity provider (Entra ID, Okta, RADIUS) is not performed. Successful GlobalProtect sessions from this exploit will appear in PAN-OS GlobalProtect logs but will NOT appear as sign-in events in your identity providerβs authentication logs. Cross-reference successful GlobalProtect sessions against IdP sign-in logs for the same time window β sessions in PAN-OS logs with no corresponding IdP event are highly suspicious.
Sessions from IP ranges inconsistent with the user population: GlobalProtect log entries include the source IP address of the VPN client. Legitimate users connect from home IP addresses, office networks, and corporate mobile networks. VPN sessions from cloud provider IP ranges (AWS, Azure, GCP), hosting providers, or TOR exit nodes without a corresponding business justification are indicators.
Short-duration sessions with high outbound traffic: Post-authentication recon and data collection within the VPN creates a traffic pattern of a session that is active briefly but generates unusually high outbound data volume. Review traffic logs for GlobalProtect client IPs with session-to-data ratios that differ significantly from legitimate user norms.
Lateral movement from client VPN IP pool: After establishing VPN access, attackers typically begin network scanning and lateral movement. Internal traffic from GlobalProtect client IP pool addresses to internal servers β particularly to Active Directory, file servers, RDP/SSH hosts β at times or volumes inconsistent with legitimate user patterns is an indicator of post-VPN compromise activity.
Post-Exploitation Patterns to Investigate
Based on documented exploitation patterns for GlobalProtect authentication bypass CVEs, investigate for:
Kerberoasting and LDAP enumeration: The VPN provides network access that enables Kerberos TGS request collection and LDAP directory enumeration. SIEM detections for high-volume LDAP queries from the VPN client IP pool or unusual Kerberos TGS requests from GlobalProtect client addresses should be reviewed for the exposure window.
SMB/RPC lateral movement: After VPN establishment, PsExec, remote service creation, and SMB lateral movement are common next steps. Review Windows Security event logs (4624, 4625, 4648, 5140) for the exposure window for anomalous authentication from VPN pool addresses.
Credential collection from LSASS: If the attacker reached a Windows host via VPN, LSASS access for credential dumping is a high-probability next step. EDR telemetry for LSASS reads from unexpected processes during the exposure window is a key indicator.
Data staging and exfiltration: After reconnaissance, data is staged for exfiltration β typically to a device within the VPN network or directly over the VPN tunnel. Unusually large outbound transfers from VPN-connected client IPs to external addresses should be reviewed.
Remediation After Confirmed Compromise
If indicators of compromise are found: isolate the GlobalProtect gateway from the internet while the investigation proceeds; rotate all credentials that may have been accessible from the VPN segment; engage incident response for forensic preservation; notify relevant stakeholders per your incident response plan. The GlobalProtect session, if still active, can be terminated from the PAN-OS operational CLI with clear globalprotect-gateway current-user <username>.
Share this article