UPDATE: PAN-OS GlobalProtect CVE-2026-0257 — exploitation wave with Impacket post-compromise, NCSC-CH refreshes advisory

UPDATE (originally covered 2026-05-30): Palo Alto's Unit 42 confirms an active exploitation campaign against the GlobalProtect cookie authentication-bypass (CVE-2026-0257) running since approximately late May (Unit 42, 2026-06-09). The flaw (CWE-565) decrypts an authentication-override cookie without any signature verification, letting an attacker forge a session and establish a VPN tunnel without credentials when the override feature is enabled (Palo Alto Networks PSIRT).

Arctic Wolf's telemetry documents post-exploitation consistent with Impacket tooling — SMB lateral movement, anonymous NTLM logon, share enumeration and domain-user discovery — across insurance, finance, manufacturing, education, engineering and healthcare targets in North America and Europe (Arctic Wolf, 2026-06-11). NCSC-CH refreshed its Security Hub advisory on 2026-06-16 to flag the Unit 42 confirmation (NCSC-CH Security Hub, 2026-06-16). Defenders: disable "Authentication Override" if not required, patch to fixed PAN-OS builds, and audit sessions since late May for Impacket-pattern lateral movement (EID 4624 Type 3 from unexpected IPs, SMB enumeration EID 5140/5145).