Detect Palo Alto Networks PAN-OS Authentication Bypass (CVE-2026-0257) in Google Chronicle
Detects exploitation attempts of CVE-2026-0257, an authentication bypass vulnerability in Palo Alto Networks PAN-OS caused by improper reliance on cookies for security decisions (CWE-565). An attacker can manipulate session cookies to bypass authentication controls on PAN-OS management interfaces or VPN endpoints. This vulnerability is confirmed exploited in the wild (CISA KEV).
MITRE ATT&CK
YARA-L Detection Query
rule cve_2026_0257_panw_auth_bypass {
meta:
author = "df00tech Detection Engineering"
description = "Detects CVE-2026-0257 PAN-OS authentication bypass via cookie manipulation"
severity = "CRITICAL"
priority = "HIGH"
reference = "https://security.paloaltonetworks.com/CVE-2026-0257"
events:
$e.metadata.vendor_name = "Palo Alto Networks" nocase
(
$e.network.http.request_url = /\/(php\/login\.php|api\/\?type=keygen|global-protect|ssl-vpn)/i or
$e.security_result.category_details = /auth.*bypass|bypass.*auth|cookie.*invalid|invalid.*cookie|session.*forged/i or
$e.security_result.description = /cookie|bypass|forged|invalid.token|auth.failure/i
)
$e.security_result.action = "BLOCK" or $e.security_result.action = "DENY" or
$e.metadata.event_type = "NETWORK_HTTP"
match:
$e.principal.ip over 5m
outcome:
$risk_score = max(
if($e.security_result.action = "ALLOW" and $e.network.http.request_url = /login|keygen/i, 90, 0) +
if($e.security_result.description = /bypass|cookie|forged/i, 30, 0)
)
condition:
#e > 3 and $risk_score > 0
}Chronicle YARA-L 2.0 rule detecting repeated PAN-OS authentication events with cookie bypass or session manipulation indicators, grouped by source IP over 5-minute windows.
Data Sources
Required Tables
False Positives & Tuning
- High-volume VPN deployments where many users authenticate from shared egress IPs
- API polling services that frequently call PAN-OS endpoints for operational monitoring
- Automated backup or configuration management tools authenticating to PAN-OS API
- Network proxies causing multiple users to appear as single source IP
Other platforms for CVE-2026-0257
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PAN-OS Cookie Bypass Authentication Simulation
Expected signal: PAN-OS auth logs should show repeated authentication failure events with unusual cookie headers; HTTP access logs should capture the source IP, URI, and malformed cookie values; network monitoring should detect the rapid sequential requests to multiple PAN-OS endpoints.
- Test 2PAN-OS Management Interface Enumeration
Expected signal: Network logs should capture sequential HTTP GET/POST requests to multiple PAN-OS management URIs from single source; firewall logs should record the connection attempts and response codes; IDS/IPS should flag the rapid enumeration pattern.
- Test 3Session Token Forgery Attempt Against PAN-OS
Expected signal: PAN-OS authentication daemon logs should show multiple failed auth attempts with varying PHPSESSID values and non-standard headers (X-PAN-AUTHCHECK); SIEM should capture the pattern of sequential attempts with different cookie values from single source IP.
Unlock Pro Content
Get the full detection package for CVE-2026-0257 including response playbook, investigation guide, and atomic red team tests.