Detect Palo Alto Networks PAN-OS Authentication Bypass (CVE-2026-0257) in CrowdStrike LogScale
Detects exploitation attempts of CVE-2026-0257, an authentication bypass vulnerability in Palo Alto Networks PAN-OS caused by improper reliance on cookies for security decisions (CWE-565). An attacker can manipulate session cookies to bypass authentication controls on PAN-OS management interfaces or VPN endpoints. This vulnerability is confirmed exploited in the wild (CISA KEV).
MITRE ATT&CK
LogScale Detection Query
#event_simpleName IN ("NetworkConnectIP4", "NetworkConnectIP6", "HttpRequest", "ProcessRollup2")
| $vendor_name = "Palo Alto Networks"
| $uri = HttpPath
| $action = HttpMethod
| ($uri = "*/php/login.php*" OR $uri = "*/api/?type=keygen*" OR $uri = "*/global-protect*" OR $uri = "*/ssl-vpn*"
OR HttpResponseCode IN ("401", "403") AND HttpReferrer = "*global-protect*"
OR UserAgent = "*GlobalProtect*")
| groupby([RemoteAddressIP4, $uri, HttpResponseCode], function=count(aid, as=attempt_count), window=5m)
| $attempt_count > 3
| $risk = if($attempt_count > 20, "Critical", if($attempt_count > 10, "High", "Medium"))
| sort(attempt_count, order=desc)
| select([timestamp, RemoteAddressIP4, $uri, HttpResponseCode, attempt_count, $risk])CrowdStrike Falcon LogScale CQL detecting repeated authentication attempts against PAN-OS management and VPN URIs with HTTP error codes consistent with authentication bypass attempts.
Data Sources
Required Tables
False Positives & Tuning
- GlobalProtect VPN clients performing frequent re-authentication from roaming endpoints
- Authorized security operations center tools polling PAN-OS health APIs
- SIEM forwarders or collectors generating repeated authenticated requests to PAN-OS
- IT automation scripts performing bulk authentication for configuration management
Other platforms for CVE-2026-0257
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PAN-OS Cookie Bypass Authentication Simulation
Expected signal: PAN-OS auth logs should show repeated authentication failure events with unusual cookie headers; HTTP access logs should capture the source IP, URI, and malformed cookie values; network monitoring should detect the rapid sequential requests to multiple PAN-OS endpoints.
- Test 2PAN-OS Management Interface Enumeration
Expected signal: Network logs should capture sequential HTTP GET/POST requests to multiple PAN-OS management URIs from single source; firewall logs should record the connection attempts and response codes; IDS/IPS should flag the rapid enumeration pattern.
- Test 3Session Token Forgery Attempt Against PAN-OS
Expected signal: PAN-OS authentication daemon logs should show multiple failed auth attempts with varying PHPSESSID values and non-standard headers (X-PAN-AUTHCHECK); SIEM should capture the pattern of sequential attempts with different cookie values from single source IP.
Unlock Pro Content
Get the full detection package for CVE-2026-0257 including response playbook, investigation guide, and atomic red team tests.