THE PERIMETER JUST GOT WIDER
CVE-2026-0257 is a critical authentication bypass in Palo Alto Networks PAN-OS GlobalProtect, active since May 17. Unit 42 and Rapid7 have both observed active attacks in production environments.
What that means operationally: attackers bypass your perimeter entirely. No phishing. No social engineering. They're inside your network at layer 3, looking like trusted remote users.
Authentication bypasses used to be the kind of vulnerability you'd patch on a Tuesday and move on. Now they're the first link in a kill chain that's actively running.
AND YOUR ANTIVIRUS JUST STOPPED WORKING
In the same window, Microsoft disclosed two zero-day vulnerabilities in Windows Defender - CVE-2026-33825 and CVE-2026-45498. Both allow unprivileged users to escalate to SYSTEM level and disable Defender entirely.
The attack chain is straightforward: compromise a standard user account, chain the Defender vulnerabilities, and you own the box at the highest privilege level. No admin credentials needed at entry.
THE REAL PROBLEM: VELOCITY
Neither vulnerability is advanced by itself. The story is how fast they're being deployed in combination. Unit 42's 2026 Incident Response Report is explicit: AI has compressed exploitation windows from weeks to hours.
Attackers are using LLMs for payload generation, exploit automation, and targeting reconnaissance. The barrier to entry for sophisticated chained attacks is collapsing.
WHAT YOU'RE ACTUALLY EXPOSED TO
If you're running PAN-OS without the latest patches: remote VPN access without credentials, lateral movement through your trusted remote network, access to internal resources that assume VPN users are legitimate.
If you're running Windows 10 or 11 without the latest Defender updates: local privilege escalation from standard user to SYSTEM, ability to disable Defender and other Windows security features, persistence mechanisms that survive reboots.
FortiClient EMS users have a parallel problem - CVE-2026-35616 is an improper access control vulnerability. Fortinet released emergency patches.
WHAT TO DO THIS WEEK
- Patch PAN-OS immediately. Verify your GlobalProtect gateways are on the latest release. Audit VPN access logs from May 17 forward for anomalous authentication patterns.
- Force Defender updates on all Windows systems. You need the June 2026 or later definition and engine update - not just signature updates.
- Patch FortiClient EMS if it's in your stack.
- Review endpoint privilege escalation activity over the last 30 days. If something ran as SYSTEM that shouldn't have, you have a problem that predates this advisory.
WHY CONTINUOUS VALIDATION MATTERS HERE
Annual or semi-annual pen tests validate at a single point in time. They miss 363 days of drift. When CVE-2026-0257 dropped on May 17, organizations running continuous offensive security validation knew within days whether they were exposed. Organizations running annual assessments found out when Unit 42 published their threat brief - or later.
The gap between disclosure and exploitation is now measured in hours. Your validation cadence needs to match.
WORK WITH UMERCS
uMercs runs offensive security engagements - pen testing, red team operations, and AI-assisted continuous testing - that find chained vulnerabilities like these before attackers do. Reach out at umercs.com or info@umercs.com.
Unit 42 (Palo Alto Networks): "Threat Brief: Active Exploitation of PAN-OS CVE-2026-0257" - June 2026
Rapid7: "PAN-OS GlobalProtect Authentication Bypass CVE-2026-0257" - June 2026
Microsoft Security Update Guide: CVE-2026-33825, CVE-2026-45498 - June 2026
Fortinet PSIRT: CVE-2026-35616 Advisory - June 2026
Unit 42: 2026 Global Incident Response Report
