GlobalProtect Vulnerability Exploited, ChatGPT Links Misused, Feds Criticize NVD

Palo Alto Networks published a security advisory and the vulnerability has been assigned CVE-2026-0257, an authentication bypass in PAN-OS GlobalProtect portal and gateway components, per Palo Alto's advisory and the CVE record on CVE.org. The CVE entry lists a CVSS 7.8 severity score, and vendor advisories note Panorama and Cloud NGFW are not affected. Reporting by Rapid7 and BleepingComputer documents observed exploitation in the wild and attacker activity since mid-May 2026.

Per the CVE record and vendor writeups (see CVE.org and SentinelOne), the flaw stems from insufficient validation of authentication/session state during the GlobalProtect handshake, classified under CWE-565. SentinelOne's vulnerability summary and Rapid7's reporting describe a network-reachable, unauthenticated attack vector that can result in an unauthorized VPN session, exposing internal resources to remote actors.

Reporting indexed by CISO Series and cybersecurity outlets indicates attackers have also used third-party hosting behaviours to support malware delivery. CISO Series' show notes and related coverage say adversaries abused ChatGPT "share" links to host fake outage pages that lured victims and delivered malware. Multiple security outlets cite active exploitation of CVE-2026-0257 in attacker campaigns; Rapid7 provides telemetry-based observations of exploitation activity.

Editorial analysis: authentication-bypass vulnerabilities in remote-access infrastructure have an outsized operational impact because successful exploits provide lateral access without user interaction. Industry-pattern observations note that when a widely deployed VPN component is exploitable over the network without authentication, organizations typically see follow-on reconnaissance and credential-theft campaigns that leverage that initial access to reach sensitive assets.

Reporting by CISO Series references a federal audit that found issues in NIST's NVD processes. Editorial analysis: observers have increasingly scrutinised vulnerability database completeness and metadata accuracy because inconsistencies can slow detection and automated patch orchestration across large enterprises.

Editorial analysis: indicators to monitor include vendor patch and mitigation publications from Palo Alto Networks, telemetry showing unexpected GlobalProtect session establishments, web-hosting artefacts referencing ChatGPT "share" URLs in abuse contexts, and updated advisories from threat intelligence vendors like Rapid7 and SentinelOne. For practitioners: confirm inventory of PAN-OS versions against the affected ranges in the CVE record, monitor VPN session logs for anomalous client fingerprints and source IPs, and follow vendor mitigations and detection guidance as they are published.