Post

Detecting CVE-2026-0265 at Scale PAN-OS CAS Authentication Bypass

Posted
By ictsec.pl
1 min read
Detecting CVE-2026-0265 at Scale PAN-OS CAS Authentication Bypass

Detecting CVE-2026-0265 at Scale: PAN-OS CAS Authentication Bypass

CVE-2026-0265 is a pre-authentication JSON Web Token (JWT) signature bypass in PAN-OS and Panorama, reachable only when Cloud Authentication Service (CAS) is attached to an authentication profile. It allows an unauthenticated, remote attacker to forge a JWT and log in as any user the firewall trusts. 🚨

Affected Interfaces

  • GlobalProtect portal: Attacks can compromise virtual private network (VPN) user sessions.
  • Management interface: Attacks can compromise the PAN-OS administrator account.

Palo Alto Networks rated the bug 7.2 (high severity) for cases where the management interface is internet-exposed. Harsh Jaiswal of HacktronAI, the original reporter, publicly disputed that rating, claiming he bypassed CAS-protected GlobalProtect portals on multiple production tenants.

Vulnerability Classification

Palo Alto Networks classified this vulnerability as CWE-347, improper verification of a cryptographic signature. The root cause is JWT algorithm confusion in pan_auth_verify, which incorrectly dispatches signature verification based on the alg value parsed from the attacker-controllable JWT header.

Detection Tool

We built a detection tool that pulls two important data points (the CAS precondition and the PAN-OS version) out of the same anonymous prelogin response. The probe is a single anonymous GET /global-protect/prelogin.esp. The prelogin response contains <cas-auth>yes</cas-auth> when CAS is the configured authentication method, and also carries a <saml-request> field containing a JWT with the authoritative “PanOSversion” claim.

Remediation Advice

  • Patch: Upgrade to the fixed version for your branch (10.2.18+, 11.1.15+, 11.2.12+, 12.1.7+).
  • Detach CAS: If you can’t patch, replace CAS with SAML, RADIUS, LDAP, or local auth on every authentication profile attached to a GlobalProtect portal or admin role.
  • Audit: Ensure your management interface is not internet-reachable.

For more details, check the full article: Read full article

SECURITY
CVE PAN-OS AUTHENTICATION VULNERABILITY
This post is licensed under CC BY 4.0 by the author.