“Rapid7 MDR identified successful exploitation across numerous customers, however we did not observe any indication of successful lateral movement from the devices,” the firm said in its analysis. The attackers reached the network but were not seen pushing deeper in the cases Rapid7 investigated, it said.
The flaw, tracked as CVE-2026-0257, affects GlobalProtect, Palo Alto’s remote-access VPN platform. Rapid7 said attackers began exploiting it as early as May 17, four days after Palo Alto published fixes and mitigation guidance.
The development marks a significant escalation from Palo Alto’s initial May 13 advisory, which rated the flaw medium severity and stated that the company was not aware of malicious exploitation at the time.
By May 29, Palo Alto had updated its advisory, increasing the vulnerability’s CVSS score to 7.8, marking exploit maturity as “attacked,” assigning its highest urgency rating.
