← CIO Briefings · Critical Impact ACTION REQUIRED

Palo Alto PAN-OS Zero-Day Actively Exploited — Espionage Actors Targeting Firewall Infrastructure

A critical remote code execution flaw in Palo Alto Networks firewall software (PAN-OS) has been under active exploitation by espionage-linked attackers since at least April 2026, with CISA confirming exploitation by adding it to the Known Exploited Vulnerabilities list. An attacker who exploits this flaw gains full control of the firewall — including the ability to read VPN credentials, intercept network traffic, and access connected networks. Emergency patching is required.

3 min read
#NIS2#DORA

What Happened

Palo Alto Networks has disclosed a critical security flaw in PAN-OS — the software running their firewall and network security products — that allows an attacker to gain complete remote control of the device without needing any login credentials. The attack is launched over the internet against the firewall’s VPN and user authentication portal. CISA has confirmed this flaw is being actively exploited by attackers, adding it to the US Government’s Known Exploited Vulnerabilities list. Intelligence analysis links the exploitation to espionage-motivated threat actors targeting government and defence organisations.

Business Impact

Palo Alto firewalls are deployed specifically as security perimeter devices — they sit at the boundary between an organisation’s internal network and the internet, controlling all network access. An attacker who achieves control of a firewall has an exceptionally privileged position: they can read the network traffic passing through the device (including VPN credentials of users connecting remotely), manipulate firewall rules to open new access paths into the internal network, and operate within the organisation’s infrastructure effectively undetected because the firewall itself is not typically subject to the same monitoring as endpoints.

This is not a standard server compromise. Firewall compromise at this level means the device designed to protect the network is now operated by the adversary. Organisations that have been exploited in the six-week window before this vulnerability became public may not know they are compromised.

Regulatory Implications

Organisations subject to NIS2 as operators of essential or important entities must apply patches to critical infrastructure — particularly internet-facing security infrastructure — as a priority security measure. Confirmed exploitation of a firewall management plane may constitute a major incident requiring notification. Under DORA (financial sector regulation), the financial services sector must treat exploitation of critical network infrastructure as a potential major ICT incident requiring assessment against notification obligations.

Board-Ready Summary

  • Palo Alto firewalls in your environment may have been compromised by espionage actors since April 2026 — six weeks before this was publicly known.
  • A compromised firewall gives attackers visibility into your entire network and the ability to access internal systems undetected.
  • Emergency patching must occur within 24 hours, and your security team should investigate whether prior compromise occurred.

  1. Immediate (today): Identify all PAN-OS installations — physical and virtual — and confirm whether they run versions vulnerable to CVE-2026-0300 (all versions prior to the patches released 5 May 2026).

  2. Immediate (today): Apply the available patches. Contact Palo Alto support if you need assistance prioritising which appliances to patch first.

  3. Immediate (today): If immediate patching is not possible, restrict internet access to the User-ID authentication portal endpoint on all affected firewalls via access control policy changes — this is the vulnerable endpoint.

  4. Short-term (this week): Review PAN-OS logs for the period from 6 April 2026 onwards for anomalous authentication events, unexpected configuration changes, or new administrator accounts. Any anomaly should be treated as a potential indicator of prior compromise.

  5. Short-term (this week): If your organisation is in government, defence, or critical infrastructure — the sectors most targeted in the known exploitation — engage your security operations centre or a third-party incident response firm to conduct a compromise assessment of your firewall management infrastructure.

  6. Ongoing: Confirm that firewall management interfaces are accessible only from management network IP ranges, not from the internet. Perimeter security devices should never have administrative interfaces directly internet-accessible.