Signal
Critical Palo Alto Networks firewall zero-day exploited for weeks by suspected state hackers
Evidence first: scan the strongest sources, then decide whether to go deeper.
Published 2026-05-07 10:57 UTCUpdated 2026-05-08 01:19 UTC
rss
cveexploitsthreat_actorssecurity_advisoryincident_response
Trend in the last 24h
Source links open
Source links and full evidence are open here. Archive history, compare-over-time, alerts, exports, API, integrations, and workflow are paid.
No card needed for the free brief.
Evidence trail (top sources)
top sources (4 domains)domains are deduped. counts indicate coverage, not truth.4 top sources shown
Overview
A critical zero-day vulnerability (CVE-2026-0300) in Palo Alto Networks PAN-OS firewalls has been actively exploited since early April 2026.
Entities
Palo Alto NetworksPAN-OS
Score total
1.81
Momentum 24h
7
Posts
7
Origins
6
Source types
1
Duplicate ratio
0%
Why now
- Active exploitation has been ongoing since early April 2026, highlighting urgency.
- Patch release is imminent but not yet available, requiring immediate mitigations.
- Attribution to state-sponsored hackers raises geopolitical and cybersecurity stakes.
Why it matters
- The vulnerability allows unauthenticated attackers root-level access to critical firewall infrastructure.
- Exploitation by state-sponsored actors increases risk of espionage and network compromise.
- Many exposed firewalls remain vulnerable until the patch is released, posing ongoing security risks.
LLM analysis
Topic mix: lowPromo risk: lowSource quality: high
Recurring claims
- CVE-2026-0300 is a critical zero-day buffer overflow vulnerability in the User-ID Authentication Portal of Palo Alto Networks PAN-OS firewalls allowing unauthenticated root code execution.
- The zero-day has been actively exploited since early April 2026, with over 5,400 exposed firewalls primarily in Asia and North America.
- Palo Alto Networks attributes the exploitation to likely state-sponsored hackers, with indicators pointing to Chinese state hacking.
- A security patch for the vulnerability is expected to begin rolling out on May 13, 2026; until then, customers should restrict or disable the User-ID Authentication Portal.
How sources frame it
- SecurityWeek: neutral
This ongoing exploitation of a critical Palo Alto Networks firewall zero-day highlights the importance of rapid patching and network access controls to mitigate risks from sophisticated threat actors.
All evidence
All evidence
Palo Alto Networks firewall flaw has been exploited for several weeks
CSO Online · csoonline.com · 2026-05-08 01:19 UTC
Palo Alto Networks says patch for exploited PAN-OS firewall bug forthcoming
SC Media · scworld.com · 2026-05-07 19:02 UTC
Palo Alto Zero-Day Exploited in Campaign Bearing Hallmarks of Chinese State Hacking
SecurityWeek · securityweek.com · 2026-05-07 15:31 UTC
PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage
thehackernews · thehackernews.com · 2026-05-07 13:34 UTC
State-sponsored hackers likely behind zero-day attacks on Palo Alto firewalls
Help Net Security · helpnetsecurity.com · 2026-05-07 11:39 UTC
Palo Alto Networks firewall zero-day exploited for nearly a month
bleepingcomputer_all · bleepingcomputer.com · 2026-05-07 10:57 UTC
Show filters & breakdown
Posts loaded: 0Publishers: 6Origin domains: 6Duplicates: -
Showing 6 / 0
Top publishers (this list)
- CSO Online (1)
- SC Media (1)
- SecurityWeek (1)
- thehackernews (1)
- Help Net Security (1)
- bleepingcomputer_all (1)
Top origin domains (this list)
- csoonline.com (1)
- scworld.com (1)
- securityweek.com (1)
- thehackernews.com (1)
- helpnetsecurity.com (1)
- bleepingcomputer.com (1)