CVE-2026-0257 is an authentication bypass in PAN-OS GlobalProtect portal and gateway components (CVSS 7.5) with confirmed active exploitation since at least May 17, 2026, CISA KEV listing with a passed federal remediation deadline, and publicly available proof-of-concept exploit code. Organizations still running unpatched GlobalProtect are no longer in a pre-exploitation posture — threat hunting for unauthorized VPN sessions and lateral movement is now the primary defensive activity. No confirmed attribution as of June 15, 2026.