Attackers have been inside confirmed GlobalProtect environments since May 17, 2026, four days after Palo Alto Networks published patches for CVE-2026-0257. For a mid-market manufacturer using GlobalProtect as the boundary between corporate IT and the plant floor, this is not a routine patch advisory. It is a question of whether your OT network is still yours.
What Happened
Palo Alto Networks' security advisory, published May 13, 2026, describes CVE-2026-0257 as an authentication bypass in the GlobalProtect portal and gateway — the components that control who gets VPN access to the network behind the firewall. An attacker can forge a session cookie to authenticate as the local admin account without supplying valid credentials. Affected PAN-OS versions are 10.2, 11.1, 11.2, and 12.1; patches for all four were released May 13. Prisma Access versions 10.2.0 and 11.2.0 also received fixes.
Exploitation began almost immediately. According to Rapid7's investigation published May 29, 2026, threat actors launched their first wave on May 17, targeting multiple customer environments via the hosting provider Vultr. A second wave followed May 21, originating from Dromatics Systems, and went further: VPN IP assignment followed cookie authentication, meaning attackers received a routable address inside the target network. They were not just knocking. They were in.
Rapid7's data shows that in 8 out of 10 observed exploitation cases, forged cookies were accepted by vulnerable systems without the attacker completing a full VPN session. Standard credential monitoring — which looks for login failures or unusual usernames — would not catch this. The session looks authenticated because, to the firewall, it is. CISA added CVE-2026-0257 to its Known Exploited Vulnerabilities catalog on May 29, 2026, and issued an alert on May 27 requiring federal civilian agencies to remediate by June 1. That deadline has passed. Palo Alto Networks confirmed active exploitation on unpatched devices.
Why This Is Different for Manufacturers
In a general enterprise IT environment, a compromised VPN gateway exposes email, file shares, and business applications — serious, but contained to IT systems.
In a manufacturing environment, GlobalProtect is frequently deployed differently. It sits between corporate IT and the OT floor, controlling which users, vendors, and remote sessions can reach PLCs, SCADA systems, DCS controllers, historian servers, and MES integrations. For mid-market manufacturers, where dedicated OT security infrastructure is uncommon, GlobalProtect often functions as the primary — sometimes the only — enforced boundary between the internet-connected corporate network and the operational technology running production.
When an attacker receives a VPN-assigned IP address through a compromised GlobalProtect gateway, they land inside whatever network segment that gateway bridges. If that segment has routes to OT equipment — and in many mid-market plants it does — they do not need additional lateral movement to reach a historian server, an MES integration endpoint, or a network-accessible PLC. They are already there.
No source has confirmed that OT systems were specifically reached or damaged through CVE-2026-0257 exploitation. What Rapid7 confirmed is internal network access following VPN IP assignment. The OT risk is a structural consequence of where GlobalProtect sits in a manufacturing network, not a claimed outcome — but it is the direct risk that unpatched manufacturers are carrying right now.
The Access Path That Standard Monitoring Misses
Forged cookie authentication to the local admin account does not generate the signals that most small IT teams or co-managed MSPs monitor for: no failed login attempts, no unusual username, no MFA prompt that goes unanswered. The session appears valid.
If your MSP's alerting is built around failed authentications or impossible-travel flags in Active Directory, it may have seen nothing. The relevant logs are GlobalProtect authentication events — specifically cookie-based authentication events originating from Vultr or Dromatics Systems IP ranges between May 17 and whenever your patch was applied. Without a SIEM or log management system pulling those logs, you may have no visibility into whether your environment was probed.
This is where the sequence matters: do not patch first and assume you are clean. Patching closes the vulnerability but does not evict an attacker who gained access before the patch was applied. Hunt for indicators of compromise first, then patch.
What to Check Right Now
These are the specific items that determine your exposure and sequencing:
- PAN-OS version on every GlobalProtect-enabled firewall. If you are running 10.2, 11.1, 11.2, or 12.1 without the May 13 patches applied, you have an open authentication bypass. Check the Palo Alto advisory for fixed release numbers by version branch.
- GlobalProtect authentication logs from May 17 onward. Look for cookie-based authentication events to the local admin account. Cross-reference source IPs against known Vultr and Dromatics Systems IP ranges, which Rapid7 identified as the attack infrastructure.
- VPN IP assignment logs during the same window. A cookie authentication event followed by a VPN IP assignment means the attacker received internal network access — the higher-severity scenario in Rapid7's findings.
- Network reachability from VPN-assigned IP ranges. Map which network segments are accessible from the IP range GlobalProtect assigns to authenticated sessions. Identify whether OT zones, SCADA historian servers, or MES systems are reachable from that range without requiring additional authentication.
- Third-party vendor sessions during the exposure window. If remote vendors use GlobalProtect for plant floor access, audit which sessions occurred between May 17 and your patch date. A vendor's unpatched client or compromised session is a separate entry path.
- Compensating controls that were active. IP allowlisting and MFA enforcement at the GlobalProtect layer reduce exploitability. If those were in place during the exposure window, your risk profile is lower. Document it either way.
What to Watch Next
The Rapid7 investigation covered a defined observation period. Additional attack infrastructure beyond Vultr and Dromatics Systems may exist that is not yet documented. Watch for updated indicators of compromise from Rapid7 or Palo Alto Networks as intelligence on this campaign develops.
ICS and OT-specific security firms including Dragos and Claroty had not published manufacturing-sector targeting intelligence tied to CVE-2026-0257 as of the Rapid7 report date. If that changes, it signals that threat actors are actively mapping OT assets reached through compromised GlobalProtect sessions — a material escalation for manufacturers.
Cyber insurance carriers are increasingly conditioning coverage on timely remediation of KEV-listed vulnerabilities. The June 1 federal deadline has passed. If you are carrying an unpatched exposure against a CISA KEV entry, review your policy language on known-vulnerability response timelines before your next renewal conversation.