CISA Flags Palo Alto PAN-OS Flaw After Reports of Attacks

Palo Alto Warns of Active Exploitation as Critical PAN-OS Firewall Flaw Triggers Global Security Alert

• Active Exploitation of Palo Alto Firewall Flaw Sparks Global Security Warning
• Critical PAN-OS Vulnerability Lets Hackers Target Enterprise Firewalls
• Palo Alto Warns of Real-World Attacks on High-Severity Firewall Bug
• Cybersecurity Alert: Attackers Exploiting Palo Alto Zero-Day in the Wild
• Firewall at Risk: Palo Alto Confirms Active Exploitation of Critical Bug
• CISA Flags Palo Alto PAN-OS Flaw After Reports of Ongoing Attacks
• Hackers Exploiting Critical PAN-OS Vulnerability in Targeted Campaigns

Cybersecurity experts are raising urgent concerns after Palo Alto Networks confirmed that a critical vulnerability in its PAN-OS firewall software is being actively exploited in the wild, putting enterprise networks worldwide at risk of full system compromise.

The flaw, tracked as CVE-2026-0300, affects the User-ID Authentication Portal used in PA-Series and VM-Series firewalls. Security researchers say the vulnerability allows unauthenticated attackers to execute remote code with root-level privileges simply by sending specially crafted network traffic to exposed systems.

Limited but Real-World Attacks Detected

Palo Alto Networks has disclosed that exploitation activity has already been observed in “limited but active” attacks, primarily targeting organizations that exposed their authentication portals to the public internet or untrusted networks.

Security teams warn that once successfully exploited, attackers could gain deep access to internal systems, potentially moving laterally across corporate networks, deploying malware, or stealing sensitive data without detection.

High Severity, High Impact

The vulnerability carries a CVSS score of 9.3 out of 10, placing it in the critical severity category. While the risk is reduced for organizations that restrict portal access to trusted internal networks, exposed systems remain highly vulnerable.

Affected versions include multiple PAN-OS releases across 10.2, 11.1, 11.2, and 12.1 branches, making the issue widespread across enterprise environments that rely on Palo Alto firewalls for perimeter security.

No Immediate Patch — Only Mitigation for Now

Palo Alto has acknowledged that a permanent fix is still in development, with security updates expected to roll out later. In the meantime, the company is urging customers to immediately secure their systems by restricting or disabling external access to the User-ID Authentication Portal.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, requiring federal agencies to apply mitigations urgently.

Why This Attack Matters

Firewalls are typically the first line of defense in enterprise security architecture. A successful exploit at this layer means attackers do not need phishing emails, stolen passwords, or malware delivery — they can directly breach network perimeters.

Security analysts warn that vulnerabilities like this are increasingly being targeted by sophisticated threat actors, including potential state-sponsored groups, due to the high level of access they provide once compromised.

A Growing Pattern of Firewall Exploits

The incident adds to a rising trend of attackers focusing on edge-network devices such as VPN gateways, routers, and firewalls — systems that sit directly between internal networks and the internet.

Experts say these systems are often less monitored than endpoints, making them ideal entry points for stealthy, long-term intrusions.

As organizations race to patch and secure exposed systems, the incident serves as another reminder that even enterprise-grade security tools can become critical attack vectors when misconfigured or left exposed online.