CVE-2026-0257 is a clean story. A critical authentication bypass in Palo Alto’s GlobalProtect VPN. Forge a cookie and the firewall lets you in. No credentials, no brute force, just a crafted request and a valid session.
The fix is simple. Disable the authentication override feature, or issue a dedicated certificate. Palo Alto published the advisory on May 13. CISA gave federal agencies until June 1.
So the advice writes itself. Run the config check and you are good. Going forward.
That last part is where it gets uncomfortable. Exploitation started around May 17, well before most organizations finished patching. If your firewall was exposed during that window, the question is no longer whether you are vulnerable. It is whether someone already came through, and what they reached.
A forged cookie makes that hard to answer. It does not look like an attack. It looks like an authenticated user. Your logs show a connection the system itself allowed. No failed login, nothing to flag. You can patch, pull the indicators, satisfy the auditor, and still not know whether anyone walked in while the door was open, or what they did once inside.
The industry already has a name for this. The proof gap: the distance between detecting that something happened and proving what it actually did. Detection tells you a connection occurred. It rarely tells you which file was opened, which record was queried, what left the building. “We haven’t seen lateral movement” is not an answer. It is the absence of one.
And here is the harder truth. You cannot reconstruct what you never recorded. The session that mattered happened weeks ago. The packets are gone, the logs have rolled over, and by the time you know where to look there is nothing left to look at. This is why investigating in hindsight so often fails. The evidence has to exist at the moment of the event, captured in full, or it is simply not there later.
Which means the answer cannot be assembled after the fact. It has to have been recorded all along. Every session, at the level of what was actually done, kept long enough to query when the question finally comes. If that record exists, the answer is waiting before you know you need it. If it does not, no amount of investigation will conjure it.
Every internet-facing appliance gets its turn. Palo Alto this month. Ivanti Connect Secure, Citrix NetScaler, Fortinet’s SSL VPN and Cisco’s ASA in the seasons before it. The vendor changes. The pattern does not.
So patch the VPN, then sit with the question the patch cannot answer. Attackers will find a way in. How will you know who is accessing your critical data?
