A high-severity authentication bypass vulnerability (CVE-2026-0257) in Palo Alto Networks' PAN-OS GlobalProtect portal and gateway was patched on May 13, but threat actors began actively exploiting it just four days after public disclosure. Rapid7 observed multiple waves of attacks across customer environments, with attackers using forged cookies to bypass authentication and, in some cases, gain access to internal networks via VPN. CISA has added the flaw to its Known Exploited Vulnerabilities catalog and is urging federal agencies to apply the available patches by June 1.
