back to blog

BLOG

Closing the Gap: Why Exposure Management and MDR Have to Work Together

By : Jacob Elziq, CEO, Armature Systems | Emanuel Salmon, Co-Founder & CEO, Nagomi Security

On May 13, 2026, Palo Alto Networks disclosed CVE-2026-0257 , an authentication bypass in PAN-OS GlobalProtect that allowed an attacker to forge a session cookie and establish an unauthorized VPN connection to a vulnerable firewall, with a patch made available on the same day.

Four days later, active exploitation was confirmed across multiple enterprise environments.

The attackers read the same advisory defenders did, built an exploit from a publicly available certificate, and started scanning. By the time CISA added the CVE to its Known Exploited Vulnerabilities catalog on May 29, the window had been open for nearly two weeks. That window is what this post is about.

What actually happened

The vulnerability had a narrow set of prerequisites. It required GlobalProtect portal or gateway to have authentication override cookies enabled, with the certificate used for those cookies shared with another feature, which exposed the public key. An attacker who knew the certificate could forge a valid cookie that the firewall would accept.

Palo Alto initially rated the vulnerability as medium severity, but that assessment changed quickly after exploitation was confirmed in the wild.

Exploitation was first observed on May 17, four days after disclosure, with a second wave on May 21 in which the same threat actor established VPN sessions and gained direct access to internal networks across a subset of the environments they had probed. CISA upgraded the severity designation and ordered federal agencies to remediate by June 1.


The organizations that got hit were not running an obviously broken process. Their teams had the advisory and were working through the patch with proper change management in place. But completing a patch cycle across a production environment in four days is not a realistic expectation for most organizations. The attacker’s timeline and the defender’s timeline are no longer the same thing, and that gap has a real cost.

Why the window exists and why it is not going away

When a vendor discloses a vulnerability publicly, both sides get the information at the same time. In a world where AI is now accelerating exploit development and automated scanning, simultaneous disclosure increasingly favors whoever can operationalize the information fastest, and right now that tends to be the attacker.

CVE-2026-0257 illustrates this clearly because the exploit was not technically complex. The vulnerability was well-documented, the attack surface was identifiable from the outside, and an attacker monitoring vendor advisories could start building within hours of the May 13 disclosure. A defender running a responsible change process realistically needs more time than that.

The answer is not to blame the change process, because it exists for good reasons. The answer is to have a strategy for what happens inside the window it creates.

What the right response looks like and where it has to start

The organizations that fared best with CVE-2026-0257 shared a few things in common.

They knew their actual exposure before the patch was applied. The vulnerability required a specific configuration to be exploitable, and organizations with continuous visibility into their control posture knew whether that configuration existed in their environment the moment the advisory landed. Fast patching alone doesn’t provide that kind of answer. It is a different kind of capability entirely, one that shows which assets are exploitable and why, at any given moment.

This is the problem Nagomi was built to solve. Most security teams already own the tools to close exposures. What they lack is a clear, continuously updated picture of which exposures are real, which controls are operational, and where the genuine gaps sit. Nagomi connects to the tools an organization already uses and correlates coverage gaps, vulnerabilities, and misconfigurations with asset context to surface toxic combinations: the handful of conditions that, when combined, create an attack pathway.

CVE-2026-0257 is a good example. Authentication override cookies enabled on a GlobalProtect gateway, combined with a reused certificate, gave attackers everything they needed. Neither condition alone gets you there.

Nagomi also surfaces where a compensating control is missing and, importantly, where one exists. Sometimes a dedicated certificate or a disabled feature is enough to close the exposure while the patch works through the queue. From there, Nagomi prioritizes each toxic combination by actual business risk, guides the team to the fix, and verifies the fix held once it is applied.

In a CVE-2026-0257 scenario, that same visibility means a team would have known its authentication override cookies were misconfigured and unprotected by a compensating control before May 13, not after.

The second thing organizations that fared well against this CVE did was lead with compensating controls. Disabling the authentication override feature, or generating a new certificate used exclusively for it, neutralized the attack chain without waiting for a full patch cycle. Compensating controls are not a substitute for patching, but they buy the time patching actually needs.

The third thing successful organizations did was have someone watch the window of attack while it was open. The exploitation of CVE-2026-0257 was not loud. It showed up as forged cookies, quiet VPN sessions, and in some environments, early-stage movement into internal systems. That kind of activity does not show up in a weekly review. It requires active, continuous monitoring by someone looking for the quiet indicators of post-authentication behavior in real time.

This is where Armature’s MDR practice operates. We monitor for the post-exploitation behavior that tends to follow fresh CVE disclosures: the quiet credential use, the lateral probing, the first steps an attacker takes after they are inside. When we find something, we work it through to containment rather than handing off an alert and waiting for a callback.

The question every team should be asking

CVE-2026-0257 will not be the last time an internet-facing device gets exploited within days of disclosure. The pattern is consistent, and the window between when a vulnerability becomes public and when most organizations have acted on it is a known, predictable, and exploitable gap.

The organizations that handle this well are not necessarily patching faster. They are the ones that have built a real answer for both sides of the problem: closing the exposure surface before the window opens, and maintaining active coverage inside it when it does.

Four days is not enough time for a patch cycle. It is enough time for a prepared team.

See Nagomi in action at nagomisecurity.com