BleepingComputer recently reported active exploitation of a Palo Alto GlobalProtect VPN authentication bypass flaw, CVE-2026-0257. This vulnerability allows attackers to forge authentication override cookies, effectively bypassing authentication and gaining access, specifically targeting local administrator accounts. This represents a critical initial access vector (T1190) for adversaries to establish a foothold within an environment.
To detect this activity, we developed a KQL query that focuses on anomalous successful VPN authentications by privileged accounts (T1078.001). Our query targets the CommonSecurityLog table, specifically filtering for events where DeviceVendor is "Palo Alto Networks" and DeviceProduct contains "GlobalProtect". We then look for successful authentication activities and narrow down the results to DestinationUserName values that match common administrator account names like "admin" or "administrator".
The query aggregates these successful administrative logins by DestinationUserName, SourceIP, and other relevant fields, providing a summarized view of potentially malicious activity. Defenders can deploy this query in their environments to identify instances where administrative accounts successfully authenticate to GlobalProtect VPNs from unusual or unexpected source IPs, which could indicate exploitation of CVE-2026-0257. This behavioral detection helps us identify the outcome of the exploit even without specific IOCs.
We recommend that defenders regularly monitor for successful GlobalProtect VPN authentications by administrative accounts, especially those originating from external or unusual IP addresses. Tuning the `admin_usernames` list to reflect specific privileged account names in your environment will enhance the fidelity of this detection. Anomalous successful logins by these accounts should trigger immediate investigation.