Palo Alto Networks’ threat intelligence division has published a comprehensive threat brief confirming active exploitation of CVE-2026-0257 and providing defenders with detection signatures and indicators of compromise.

Unit 42’s threat brief on CVE-2026-0257 confirms what managed detection firms have independently observed: the GlobalProtect authentication bypass is under active, multi-wave exploitation. The brief provides detection signatures, indicators of compromise, and step-by-step remediation guidance specific to GlobalProtect deployments.

The significance of this publication extends beyond the immediate vulnerability. Vendor threat intelligence units issuing their own exploitation confirmations, rather than relying solely on third-party reporting, is becoming the standard disclosure model for critical network infrastructure vulnerabilities. Unit 42’s brief arms defenders with detection capabilities calibrated to the specific attack patterns observed in the wild, including authentication events tied to forged cookies, suspicious VPN tunnel establishment, and anomalous hipreport.esp endpoint activity.

Organizations running GlobalProtect with authentication override enabled should apply the detection rules immediately, even if patches have already been deployed, to identify any compromise that occurred during the exposure window between May 13 and patch application.

Source: Unit 42 Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257