Researchers and federal regulators are tracking an active intrusion campaign built on CVE-2026-0257, a Palo Alto Networks authentication-bypass flaw that spent four days rated medium-severity while attackers were already weaponizing it.
Palo Alto Networks first disclosed the defect on May 13. Rapid7 confirmed exploitation in a customer environment four days later, on May 17, triggering a cascade: the vendor upgraded its rating to critical, and CISA added the flaw to its Known Exploited Vulnerabilities catalog on May 29. Under Binding Operational Directive 22-01, federal civilian agencies must patch by June 19.
The PAN-OS advisory describes the exploit with uncomfortable simplicity. An attacker can forge a valid authentication cookie using nothing but the firewall’s publicly available TLS certificate — a single HTTP request. The flaw affects GlobalProtect portal and gateway deployments that have authentication override cookies enabled and share a certificate with another feature. No credentials.
Rapid7 documented two waves. The second, on May 21, saw a couple of customers hit within an hour of each other, with VPN connections established to affected firewalls. Researchers haven’t attributed either wave to a named threat group.
The structural tell here: attackers are deliberately hunting medium-severity bugs, knowing most organizations don’t treat them as urgent. Palo Alto said it found the flaw internally using frontier AI tools, yet within days of public disclosure, the original rating proved dangerously optimistic.
watchTowr’s Jake Knott framed it cleanly: “Organizations that wait for confirmation of active exploitation before patching will consistently find themselves reacting too late.”
Next procedural step: federal agencies face the June 19 remediation deadline.
James Okafor