CVE-2026-0257 is a critical authentication bypass (CVSS 9.1, EPSS 98.3rd percentile) in the GlobalProtect VPN component of PAN-OS, confirmed under active exploitation by Unit 42 and independently corroborated by Rapid7. An unauthenticated remote attacker can bypass GlobalProtect portal or gateway authentication entirely, gaining direct network access without valid credentials. Any organization with an internet-facing GlobalProtect gateway on an unpatched PAN-OS version is at immediate risk of network intrusion.