CVE-2026-0257 — Palo Alto Networks PAN-OS GlobalProtect: authentication bypass under active exploitation

First disclosed in May and KEV-listed on 2026-05-29, the GlobalProtect portal/gateway authentication bypass moved into a confirmed exploitation wave this week. Unit 42 observed active exploitation by an unidentified actor attempting to access GlobalProtect, with Arctic Wolf reporting increasing exploitation volume and NCSC-CH refreshing its advisory on 2026-06-16 (Unit 42; daily 06-17). Notably, Unit 42 states no post-access lateral movement had been identified as of its analysis — so the current operational signal is unauthorised VPN session establishment, not yet confirmed downstream compromise. Patch to the fixed PAN-OS trains, and hunt GlobalProtect logs for authentications that bypass the expected portal flow.