Detect Palo Alto Networks PAN-OS Authentication Bypass (CVE-2026-0257) in Splunk
Detects exploitation attempts of CVE-2026-0257, an authentication bypass vulnerability in Palo Alto Networks PAN-OS caused by improper reliance on cookies for security decisions (CWE-565). An attacker can manipulate session cookies to bypass authentication controls on PAN-OS management interfaces or VPN endpoints. This vulnerability is confirmed exploited in the wild (CISA KEV).
MITRE ATT&CK
SPL Detection Query
index=network sourcetype IN (pan:traffic, pan:system, pan:threat, pan:log) vendor="Palo Alto Networks"
| eval uri=coalesce(url, uri_path, request)
| eval auth_event=if(match(lower(signature), "auth|bypass|cookie|session|invalid-token"), 1, 0)
| eval suspicious_uri=if(match(lower(uri), "/php/login\.php|/api/\?type=keygen|/global-protect|/ssl-vpn"), 1, 0)
| where auth_event=1 OR suspicious_uri=1
| bucket _time span=5m
| stats count as attempt_count, dc(uri) as unique_uris, dc(src_user) as unique_users, values(uri) as uris, values(signature) as signatures by _time, src_ip, dest_ip, action
| where attempt_count > 3
| eval risk=case(attempt_count > 20, "Critical", attempt_count > 10, "High", true(), "Medium")
| table _time, src_ip, dest_ip, attempt_count, unique_uris, unique_users, uris, signatures, action, risk
| sort -attempt_countCorrelates authentication bypass indicators from PAN-OS logs including suspicious URI access patterns, auth-related signatures, and repeated failed attempts bucketed in 5-minute windows.
Data Sources
Required Sourcetypes
False Positives & Tuning
- Legitimate repeated VPN authentication from mobile or roaming clients
- Security scanning tools authorized by the organization probing PAN-OS interfaces
- Load balancer health checks triggering repeated authentication requests
- Misconfigured VPN clients with corrupted or expired cookies causing repeated login attempts
Other platforms for CVE-2026-0257
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1PAN-OS Cookie Bypass Authentication Simulation
Expected signal: PAN-OS auth logs should show repeated authentication failure events with unusual cookie headers; HTTP access logs should capture the source IP, URI, and malformed cookie values; network monitoring should detect the rapid sequential requests to multiple PAN-OS endpoints.
- Test 2PAN-OS Management Interface Enumeration
Expected signal: Network logs should capture sequential HTTP GET/POST requests to multiple PAN-OS management URIs from single source; firewall logs should record the connection attempts and response codes; IDS/IPS should flag the rapid enumeration pattern.
- Test 3Session Token Forgery Attempt Against PAN-OS
Expected signal: PAN-OS authentication daemon logs should show multiple failed auth attempts with varying PHPSESSID values and non-standard headers (X-PAN-AUTHCHECK); SIEM should capture the pattern of sequential attempts with different cookie values from single source IP.
Unlock Pro Content
Get the full detection package for CVE-2026-0257 including response playbook, investigation guide, and atomic red team tests.