A vulnerability in Palo Alto Networks' PAN-OS, the software that runs the company's firewalls, is being exploited in the wild. Tracked as CVE-2026-0257, the flaw lets an attacker bypass security restrictions and establish an unauthorised VPN connection through a GlobalProtect gateway. The US Cybersecurity and Infrastructure Security Agency (CISA) has added it to its Known Exploited Vulnerabilities catalog and set a 1 June remediation deadline for federal civilian agencies.

What the flaw does

GlobalProtect is the VPN that lets remote staff reach an internal network. A bypass there is serious because it hands an attacker a foothold inside the perimeter without valid credentials. Active exploitation has been confirmed by both the vendor and an independent managed-detection provider, and the attackers are reported to have working tooling aimed at unpatched gateways. A firewall is meant to be the control. Here it is the way in.

Why the deadline matters beyond Washington

CISA's deadline binds US federal agencies, but the catalogue is read as a global to-do list. A listing means exploitation is real and confirmed, not theoretical. Any organisation running an exposed GlobalProtect gateway should treat the federal date as its own. Edge devices like firewalls and VPN concentrators have become the preferred entry point for both criminal and state-backed crews, precisely because they sit at the boundary and are often patched late.

What to do

Apply Palo Alto's fixed PAN-OS release. Where patching has to wait, restrict GlobalProtect exposure to known address ranges and watch authentication logs for VPN sessions that do not match a real user. Treat any internet-facing management interface as a liability until the update is confirmed in place. The pattern this year is consistent: the bug is on the box guarding the door.

Note: This is defensive reporting for patch prioritisation. No exploit code or proof-of-concept is reproduced here.