
PAN-OS
Palo Alto Networks firewall and SD-WAN OS; repeatedly targeted by state actors exploiting perimeter-device flaws.
Last refreshed: 14 June 2026 · Appears in 1 active topic
Why are firewalls becoming the preferred entry point for ransomware gangs?
Timeline for PAN-OS
Mentioned in: Splunk lands its first-ever KEV entry
Cybersecurity: Threats and DefencesMentioned in: CISA tears up its KEV deadline rules
Cybersecurity: Threats and DefencesMentioned in: Arista refuses to patch KEV flaw
Cybersecurity: Threats and DefencesVPN zero-day open a month pre-patch
Cybersecurity: Threats and DefencesMentioned in: WebLogic flaw revived as ransomware vector
Cybersecurity: Threats and DefencesIs my Palo Alto firewall vulnerable to CVE-2026-0300?
How did CL-STA-1132 exploit PAN-OS?
Why was the CISA PAN-OS deadline before the patch was ready?
Background
PAN-OS is the operating system running Palo Alto Networks' next-generation firewalls, SD-WAN appliances and Panorama management infrastructure. In May 2026 it became the first product in CISA's history to receive a federal KEV remediation Deadline that preceded the vendor's own patch: CVE-2026-0300, an unauthenticated Remote Code Execution flaw in the captive portal component (CVSS 9.3), was listed on 6 May with a 9 May federal Deadline, four days before Palo Alto shipped the fix on 13 May. State-sponsored cluster CL-STA-1132 had been exploiting the flaw since 16 April, six weeks before disclosure, with post-exploitation tradecraft that included shellcode injection into nginx worker processes, Active Directory enumeration via the firewall's service account, lateral movement using EarthWorm and ReverseSocks5, and systematic log destruction.
PAN-OS sits at the network perimeter in enterprise and government environments globally, which makes it a structurally attractive target: a root-level compromise converts a security control into a trusted pivot point. The CVE-2026-0300 campaign is one instance of a broader 2026 pattern in which edge devices (VPN gateways, firewalls, SD-WAN concentrators) are the preferred ransomware and state-actor entry vector. The same update cycle that documented CL-STA-1132 also confirmed active exploitation of a Check Point Remote Access VPN zero-day (CVE-2026-50751), and Arista EOS received a KEV listing for a flaw its vendor declined to patch at all. The common thread is that perimeter devices process untrusted traffic before any endpoint control, sit outside host-based detection, and carry privileged network credentials.
Palo Alto's transparent disclosure, with its own Unit 42 team confirming exploitation before a patch existed, created an unusual accountability dynamic that informed the CISA pre-patch Deadline precedent. That precedent subsequently applied to the Exchange Server OWA zero-day (CVE-2026-42897) the following week, suggesting it has become CISA policy rather than an anomaly. For enterprise security teams, PAN-OS's exposure illustrates the inadequacy of treating perimeter-device management as a lower-cadence patching workload than endpoint OS updates.