Skip to content
You can now search across every topic, entity and event.What's new
PAN-OS
TechnologyUS

PAN-OS

Palo Alto Networks firewall and SD-WAN OS; repeatedly targeted by state actors exploiting perimeter-device flaws.

Last refreshed: 14 June 2026 · Appears in 1 active topic

Key Question

Why are firewalls becoming the preferred entry point for ransomware gangs?

Timeline for PAN-OS

#818 Jun

Mentioned in: Splunk lands its first-ever KEV entry

Cybersecurity: Threats and Defences
#810 Jun

Mentioned in: CISA tears up its KEV deadline rules

Cybersecurity: Threats and Defences
#79 Jun

Mentioned in: Arista refuses to patch KEV flaw

Cybersecurity: Threats and Defences
#78 Jun

VPN zero-day open a month pre-patch

Cybersecurity: Threats and Defences
#61 Jun
View full timeline →
Common Questions
Is my Palo Alto firewall vulnerable to CVE-2026-0300?
PAN-OS versions with captive portal enabled are affected by CVE-2026-0300 (CVSS 9.3). CISA's federal Deadline was 9 May 2026; Palo Alto Networks' own patch was scheduled for 13 May. Organisations should check Palo Alto's security advisory for affected versions and apply mitigations immediately.Source: CISA / Palo Alto Networks
How did CL-STA-1132 exploit PAN-OS?
CL-STA-1132 exploited CVE-2026-0300 to inject shellcode into PAN-OS nginx worker processes, then used the firewall's own Active Directory service account to enumerate the network, moved laterally with EarthWorm and ReverseSocks5, and destroyed logs.Source: Unit 42
Why was the CISA PAN-OS deadline before the patch was ready?
CISA added CVE-2026-0300 to KEV on 6 May with a 9 May Deadline based on confirmed active exploitation. Palo Alto Networks stated patches would ship on 13 May — four days after the federal Deadline — marking the first documented case of a KEV Deadline preceding vendor patch availability.Source: CISA

Background

PAN-OS is the operating system running Palo Alto Networks' next-generation firewalls, SD-WAN appliances and Panorama management infrastructure. In May 2026 it became the first product in CISA's history to receive a federal KEV remediation Deadline that preceded the vendor's own patch: CVE-2026-0300, an unauthenticated Remote Code Execution flaw in the captive portal component (CVSS 9.3), was listed on 6 May with a 9 May federal Deadline, four days before Palo Alto shipped the fix on 13 May. State-sponsored cluster CL-STA-1132 had been exploiting the flaw since 16 April, six weeks before disclosure, with post-exploitation tradecraft that included shellcode injection into nginx worker processes, Active Directory enumeration via the firewall's service account, lateral movement using EarthWorm and ReverseSocks5, and systematic log destruction.

PAN-OS sits at the network perimeter in enterprise and government environments globally, which makes it a structurally attractive target: a root-level compromise converts a security control into a trusted pivot point. The CVE-2026-0300 campaign is one instance of a broader 2026 pattern in which edge devices (VPN gateways, firewalls, SD-WAN concentrators) are the preferred ransomware and state-actor entry vector. The same update cycle that documented CL-STA-1132 also confirmed active exploitation of a Check Point Remote Access VPN zero-day (CVE-2026-50751), and Arista EOS received a KEV listing for a flaw its vendor declined to patch at all. The common thread is that perimeter devices process untrusted traffic before any endpoint control, sit outside host-based detection, and carry privileged network credentials.

Palo Alto's transparent disclosure, with its own Unit 42 team confirming exploitation before a patch existed, created an unusual accountability dynamic that informed the CISA pre-patch Deadline precedent. That precedent subsequently applied to the Exchange Server OWA zero-day (CVE-2026-42897) the following week, suggesting it has become CISA policy rather than an anomaly. For enterprise security teams, PAN-OS's exposure illustrates the inadequacy of treating perimeter-device management as a lower-cadence patching workload than endpoint OS updates.

More questions
Why did CISA set a PAN-OS patch deadline before Palo Alto had a fix ready?
CISA listed CVE-2026-0300 on 6 May 2026 with a 9 May federal Deadline, four days before Palo Alto shipped the patch on 13 May. It was the first time a federal KEV Deadline preceded the vendor's own fix. CISA acted because active state-actor exploitation had already been running for six weeks.Source: CISA KEV / Palo Alto advisory
What did attackers do after exploiting the PAN-OS captive portal flaw?
CL-STA-1132 injected shellcode into nginx worker processes, enumerated Active Directory via the firewall's service account, moved laterally using EarthWorm and ReverseSocks5, and methodically destroyed crash logs and kernel messages to cover their tracks.Source: Palo Alto Unit 42
Why are firewalls being targeted instead of endpoints in 2026 ransomware attacks?
Edge devices such as PAN-OS firewalls and VPN gateways process untrusted traffic before endpoint controls, sit outside host-based detection, and carry privileged network credentials. A perimeter compromise gives attackers a trusted pivot point inside the network without needing to touch a single endpoint.Source: event
What is CL-STA-1132 and which countries does it target?
CL-STA-1132 is a state-sponsored threat cluster attributed by Palo Alto's Unit 42 research team. It conducted the known exploitation of PAN-OS CVE-2026-0300 from 16 April 2026. Specific country attribution has not been publicly confirmed.Source: Palo Alto Unit 42
Source Material