Tag

Pan Os

All articles tagged with #pan os

Active Exploitation of PAN-OS Authentication Bypass CVE-2026-0257 Prompts Urgent Patch
cyber-security1 month ago

Active Exploitation of PAN-OS Authentication Bypass CVE-2026-0257 Prompts Urgent Patch

PAN-OS and Prisma Access are being exploited for CVE-2026-0257, a remote authentication bypass in the non-default Authentication Override feature that lets attackers forge session cookies and bypass login to establish unauthorized GlobalProtect VPN connections. Rapid7 has documented two exploitation waves in May 2026, with indicators including spoofed MAC aa:bb:cc:dd:ee:ff and IPs tied to the waves (e.g., 104.207.144.154; 146.19.216.119/120/125). CISA added the flaw to KEV on May 29, 2026. Patches are available for PAN-OS versions 12.1.4-h6/12.1.7, 11.2.12, 11.1.15, 10.2.18-h6 and Prisma Access 11.2.7-h13+ (or later) or 10.2.10-h36+. Mitigations include disabling authentication override if not needed, using a dedicated cookie-encryption certificate, hunting for IOCs in VPN/GlobalProtect logs, and applying MDR detection rules (e.g., “Suspicious Authentication – Palo Alto GlobalProtect Cookie Authentication to Local Admin Account”). Despite a medium CVSSv4 score, rapid remediation is urged due to active exploitation and a public PoC.

Active Exploitation Targets PAN-OS VPN Flaw CVE-2026-0257
security1 month ago

Active Exploitation Targets PAN-OS VPN Flaw CVE-2026-0257

Palo Alto Networks warns that CVE-2026-0257, a medium-severity authentication bypass affecting PAN-OS/GlobalProtect, is being actively exploited in the wild to sidestep security controls and establish unauthorized VPN sessions. Rapid7 tracked two exploitation waves starting mid‑May 2026 (earliest May 17), with VPN IP assignments after cookie-based authentication in some cases. The U.S. CISA added the flaw to its Known Exploited Vulnerabilities list, mandating mitigations by June 1, 2026. Temporary mitigations include disabling the authentication override feature or issuing a new certificate for that feature, with urgent patching urged until updates are applied.

Active Attacks Target Palo Alto GlobalProtect Flaw CVE-2026-0257
security1 month ago

Active Attacks Target Palo Alto GlobalProtect Flaw CVE-2026-0257

Hackers are actively exploiting the PAN-OS GlobalProtect authentication bypass (CVE-2026-0257) on unpatched devices to gain unauthorized VPN access. Patches were released earlier in the month, and mitigations include disabling the authentication override feature or using a separate certificate. Rapid7 observed exploitation beginning May 17 across multiple customers, with forged cookies enabling access in some cases, while federal agencies were urged to mitigate by June 1 as CISA added the flaw to KEV.

Critical PAN-OS zero-day exploited for weeks, attackers gain root access to exposed firewalls
security2 months ago

Critical PAN-OS zero-day exploited for weeks, attackers gain root access to exposed firewalls

Palo Alto Networks warns that a critical PAN-OS zero-day in the User-ID Authentication Portal (CVE-2026-0300) has been exploited for nearly a month, enabling unauthenticated remote code execution with root privileges on Internet-exposed PA-Series and VM-Series firewalls. Attackers deployed Earthworm and ReverseSocks5 tunneling tools, wiped logs to avoid detection, and targeting thousands of devices (Shadowserver cites over 5,400 exposed VM-series firewalls). Cloud NGFW and Panorama are unaffected; patches are slated to begin rolling out on May 13. In the interim, restrict access to or disable the portal. CISA added CVE-2026-0300 to KEV and ordered agencies to secure vulnerable devices by May 9.

PAN-OS Captive Portal zero-day enables remote code execution on exposed firewalls
technology2 months ago

PAN-OS Captive Portal zero-day enables remote code execution on exposed firewalls

Palo Alto Networks warned of a critical, unpatched vulnerability in the PAN-OS User-ID Authentication Portal (Captive Portal), CVE-2026-0300, that can be triggered by crafted packets to allow unauthenticated remote code execution with root privileges on internet-exposed PA-Series and VM-Series firewalls; exploitation has been observed as limited but ongoing, with Shadowserver counting thousands of exposed VM-series endpoints. Until a patch is released (updates expected May 13, 2026), admins are advised to restrict portal access to trusted networks or disable it, noting the issue does not affect Cloud NGFW or Panorama.

Critical PAN-OS Flaw Under Active Exploitation Enabling Root RCE
security2 months ago

Critical PAN-OS Flaw Under Active Exploitation Enabling Root RCE

Palo Alto Networks warns of a critical buffer‑overflow flaw in PAN-OS User-ID Authentication Portal (CVE-2026-0300) that allows unauthenticated remote code execution with root privileges on PA-Series and VM-Series firewalls; the bug is under active exploitation, with a CVSS of up to 9.3 when the portal is internet‑exposed and 8.7 otherwise, and PAN-OS 12.1 is listed as affected.

Wild PAN-OS Flaw Exposes Palo Alto Firewalls to Root Access
cyber-security-news2 months ago

Wild PAN-OS Flaw Exposes Palo Alto Firewalls to Root Access

A critical, unauthenticated buffer overflow in PAN-OS’s User-ID Authentication Portal (CVE-2026-0300) is being exploited in the wild to gain full root access on PA-Series and VM-Series firewalls. The flaw allows remote code execution with no credentials or user interaction over the network, affecting multiple PAN-OS versions (with some product exclusions). Patches are rolling out May 13–28, 2026; meanwhile, admins should restrict or disable internet-facing Authentication Portals and apply Threat Prevention signatures, and audit exposed configurations immediately.

Unauthenticated PAN-OS DoS Flaw Forces Quick GlobalProtect Patch
cyber-security-news5 months ago

Unauthenticated PAN-OS DoS Flaw Forces Quick GlobalProtect Patch

Palo Alto Networks patched a critical PAN-OS vulnerability (CVE-2026-0227) that lets unauthenticated attackers trigger a denial-of-service on GlobalProtect gateways/portals. The flaw, rated CVSS 7.7 (HIGH), stems from improper handling of unusual conditions and affects multiple PAN-OS versions (Cloud NGFW is spared). A PoC exists, exploitation is not yet observed, and no workarounds are available. Administrators should upgrade to the latest hotfixes (PAN-OS 12.1.4 or 11.2.10-h2) and verify configurations via Palo Alto’s support portal while monitoring for DoS attempts.

Critical Palo Alto Firewall Vulnerabilities Actively Exploited
cybersecurity1 year ago

Critical Palo Alto Firewall Vulnerabilities Actively Exploited

Palo Alto Networks has identified a critical zero-day vulnerability in its PAN-OS firewall management interface, which is being actively exploited to deploy web shells for persistent remote access. The flaw, with a CVSS score of 9.3, allows unauthenticated remote command execution and requires no user interaction. While patches are not yet available, users are urged to secure their management interfaces. The vulnerability is distinct from other recent critical flaws in Palo Alto Networks products, and there is no evidence linking the activities.

"Palo Alto Networks Issues Urgent Fixes for Exploited Zero-Day Vulnerabilities"
cybersecurity2 years ago

"Palo Alto Networks Issues Urgent Fixes for Exploited Zero-Day Vulnerabilities"

Palo Alto Networks has released urgent hotfixes to address a critical vulnerability (CVE-2024-3400) in its PAN-OS software, which is being actively exploited in the wild. The flaw, impacting GlobalProtect feature, could allow unauthenticated attackers to execute arbitrary code with root privileges on the firewall. Fixes are available for specific PAN-OS versions, with patches for other releases expected soon. The threat actor exploiting the flaw is tracked as Operation MidnightEclipse, with evidence of potential reconnaissance activity and deployment of a Python-based backdoor called UPSTYLE. Customers are advised to apply the hotfixes immediately to mitigate the risk.

cybersecurity2 years ago

Palo Alto Networks Issues Critical Warning for PAN-OS Vulnerability

Palo Alto Networks has issued guidance for a command injection vulnerability (CVE-2024-3400) in PAN-OS versions 10.2, 11.0, and 11.1, with reports of active exploitation in the wild. CISA advises users to review the security advisory, apply mitigations, and update affected software when fixes are available, adding the vulnerability to its Known Exploited Vulnerabilities Catalog.

"CISA Issues Alert for Active Attacks on Palo Alto Networks and Sisense"
network-security2 years ago

"CISA Issues Alert for Active Attacks on Palo Alto Networks and Sisense"

Palo Alto Networks has issued a warning about a critical vulnerability, CVE-2024-3400, in its PAN-OS software used in GlobalProtect gateways, with a maximum severity score. The flaw allows unauthenticated attackers to execute arbitrary code with root privileges on affected firewalls. Versions PAN-OS < 11.1.2-h3, PAN-OS < 11.0.4-h1, and PAN-OS < 10.2.9-h1 are impacted, with fixes expected on April 14, 2024. The company is aware of limited attacks exploiting the vulnerability and recommends enabling Threat ID 95187 for protection. Cybersecurity firm Volexity discovered and reported the bug, and Chinese threat actors have been increasingly exploiting zero-day flaws in various network security products.