Palo Alto Networks' GlobalProtect VPN product is under active exploitation in its second distinct attack wave, which is to say that the initial disclosure and patch cycle produced a remediation rate slow enough to sustain a second campaign against the unpatched population. Palo Alto sells network perimeter security. Their perimeter product has an authentication bypass that needed two exploitation waves to motivate patching. Concurrently, The Hacker News reported on June 2 that the Dragon Weave cluster, attributed to China-linked operators, is deploying espionage tooling against Czech Republic and Taiwanese targets, a paired collection sweep across two jurisdictions whose correspondent-banking relationships thread directly into HKMA-regulated institutions.

HKMA's Supervisory Policy Manual TM-E-1 and the MAS Technology Risk Management Guidelines both carry mandatory patch timelines for critical vulnerabilities, and the second GlobalProtect exploitation wave is evidence that those timelines are producing audit-trail compliance at a rate that outpaces actual remediation. The gap is structural, not exceptional. APAC private banking operations using GlobalProtect for remote-access perimeter should read Dragon Weave's Taiwan targeting as a collection-proximity indicator; the campaign is already operating inside the correspondent-network neighborhood. The first institution to file under HKMA's mandatory breach-notification obligation after a Dragon Weave intrusion will be the next data point in whether TM-E-1 functions as a detection mechanism or a paperwork sequencer.