Executive Summary
CISA's KEV catalog version 2026.05.29 lists CVE-2026-0257 as an actively exploited PAN-OS authentication bypass with a federal due date of 2026-06-01 [raw.githubusercontent.com opens in a new tab]. Palo Alto Networks says the issue affects GlobalProtect portal and gateway deployments where authentication override cookies are enabled with a specific certificate configuration, and that limited exploit attempts have targeted unpatched systems without mitigations [security.paloaltonetworks.com opens in a new tab].
This is a VPN-edge exposure problem, not a generic PAN-OS compromise claim. Treat an exposed GlobalProtect portal or gateway on a vulnerable PAN-OS branch as a priority access-control incident because successful exploitation can establish an unauthorized VPN connection [raw.githubusercontent.com opens in a new tab] [security.paloaltonetworks.com opens in a new tab].