Critical infrastructure

Security Advisory

PAN-OS Firewall of PaloAlto Vulnerability Exploited for RCE

CVE 2026-0300 is a critical vulnerability with CVSS score of 9.3

PaloAlto Networks has issued strict advisory for its customers after an actively exploited zero-day vulnerability, affected its firewall operating system, PAN-OS. CVE 2026-0300 allows attackers to gain full control of affected systems without authentication.

The zero-day bug stems from a buffer overflow weakness, allowing unauthenticated attackers to execute arbitrary code with root privileges on Internet-exposed PA-Series and VM-Series firewalls via specially crafted packets.

Active Exploitation Observed in the Wild

Palo Alto Networks confirmed that exploitation attempts have already been observed in its advisory and urged its customers and organizations to mitigate exposure immediately.

What did the vulnerability affect:

  • PAN-OS 10.2 below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, 10.2.18-h6
  • PAN-OS 11.1 below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, 11.1.15
  • PAN-OS 11.2 below 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, 11.2.12
  • PAN-OS 12.1 below 12.1.4-h5, 12.1.7

Excluded from vulnerability are Prisma Access, Cloud Next-Generation Firewall (Cloud NGFW), and Panorama appliances are not impacted by this vulnerability.

PoC of CVE 2026-0300

PaloAlto published a PoC on May 6, showing how an unauthenticated request to the User-ID Authentication Portal can reliably trigger the buffer overflow and achieve root-level RCE on affected PAN-OS versions.

While the repository is framed as research code and includes legal disclaimers, it materially lowers the barrier to exploitation by validating exploit mechanics.

Palo Alto Networks has not shared details about who is behind the attacks and has not released indicators of compromise at the time of writing.

Patching & Remediation

Since security patches takes time, PaloAlto recommends reducing exposure is the most effective way to contain risk. Palo Alto Networks proactively alerted customers to the zero-day, a step that allowed defenders to take action on potentially exposed instances. 

If the User-ID Authentication Portal is not required for business operations, Palo Alto Networks recommends disabling it entirely. Firewalls that do not have the Authentication Portal enabled are not affected by this vulnerability.

The company has stated that security fixes will be released in stages between May 13-28, depending on the PAN‑OS version in use.

In advance of these patches, Palo Alto released a Threat Prevention signature on May 5 for PAN-OS 11.1 and newer to help detect or block exploitation attempts. Applying this signature, where supported, provides interim protection but does not replace the need to reduce exposure and deploy patches once available.

For security teams, immediate focus should be on identifying PA-Series and VM-Series firewalls with the User-ID Authentication Portal enabled, confirming whether those services are reachable from untrusted networks, and scheduling timely deployment of Palo Alto’s fixes as they are released.

Monitoring unexpected firewall behavior or unplanned configuration changes provides additional awareness during the period of active exploitation.

A similar authentication bypass vulnerability (CVE-2025-0108) was discovered in Palo Alto Networks PAN-OS allows unauthenticated attackers with network access to bypass authentication on the management web interface on 20 feb 2025. https://intruceptlabs.com/2025/02/palo-alto-firewall-vulnerabilities-under-active-exploitation/

Firewall infrastructure attack increased in recent years so are the Stakes for Enterprise and Critical Infrastructure

Firewalls are the prime targets because if firewall can be controlled the entire network is in hands of hackers. In recent years, the frequency and success of exploits targeting firewall vulnerabilities have been alarmingly high. Threat actors take on management interfaces, login pages and authentication portals as most common targets for both opportunistic and targeted campaigns.

A successful compromise in the firewall can allow attackers to:

  • Intercept entire network traffic
  • Disable security protections
  • Move laterally inside corporate networks
  • Establish persistent backdoors

For stronger defense allow Intrucept to proactively test your defenses by identifying vulnerabilities fast. You can start the process to enhance your security posture and protect your digital assets from evolving threats.

Call us for a demohttps://intruceptlabs.com/contact/

Sources: https://fieldeffect.com/blog/palo-alto-firewall-zero-day-unauthenticated-root-access#:~:text=On%20May%205%2C%202026%2C%20Palo,systems%20accessible%20from%20untrusted%20networks.

Sources: https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-actively-exploited-firewall-zero-day

Blogs Security Advisory

ISAC’s Joint Advisory as Cyber & Physical Risks Increase in MiddleEast Conflict; Major Hacking Groups are Threat to Critical Infrastructure

ISAC’s Joint Advisory

Continue Reading
Blogs

Critical Infrastructure in Focus as UK Aligns to NIS2; Major changes incorporated in Cyber Security & Resilience Bill

UK unveiled the Cyber Security and Resilience Bill that aligns with NIS2 but with changes to get better clarity on cyberattacks on the UK’s most critical sectors and send actionable advice to cyber defenders. In 2025 alone we have witnessed series of damaging cyber incidents that exposed vulnerabilities in UK’s critical infrastructure, made it worrisome and DSIT study estimated that cyberattacks cost the UK economy about $19.4 billion (£14.7 billion) each year or about 0.5% of the GDP.

The current bill has five major changes which reflects UK’s effort at modernizing the framework originally set out in the NIS Directive. Since its announcement during the King’s Speech on 17 July 2024, there has been much anticipation over the contents of the Cyber Security and Resilience Bill (“CS&R Bill“) and in particular the extent to which it will bring the UK into alignment with its European counterpart, the NIS2 directive. 

As UK unveiled the Cyber Security and Resilience Bill, last week it made mandatory for organizations in healthcare, energy, water, transport and digital services to meet required security standards and report significant cyber incidents within 24 hours.

Further the bill has stated that govt. has right to imposing turnover-based penalties and granting ministers emergency powers to intervene during major cyber incidents. In its current form, the bill has fallen out of date and are insufficient to tackle the cyber threats reflected in recent months cyber attacked across verticals in UK and Europe.

Key 5 changes in UK cybersecurity regulation arising from the Bill

1. Data center operators will now fall within scope of the NIS Regulations

At present, the NIS Regulations cover two types of covered entities—”operators of essential services” (“OESs,” including the main types of critical infrastructure, such as energy, transport, and water providers) and “digital service providers” (“DSPs,” specifically cloud computing, online search engines, and online marketplaces).

The Bill will expand the scope of the OES designation to cover providers of data center services that offer a rated IT load of more than 10 megawatts, and are provided “on an enterprise basis.” The Bill’s definition of “data centre service” broadly follows the equivalent definition in NIS2 but is more detailed; in essence, it covers the provision of data center space and supporting infrastructure (e.g., utilities and security infrastructure).

The Bill will also expand the scope of the NIS Regulations to cover:

  • “Large load operators” in the electricity sector as OESs; and
  • Managed service providers as a new category of operator with similar obligations to DSPs under the existing NIS Regulations.

2. Govt. reserves right to  impose more specific security requirements

In present the cybersecurity bill the NIS Regulations require OESs to report to competent authorities any incident that “has a significant impact on the continuity of the essential service which that OES provides” to its competent authorities, taking into account factors such as the number of affected users, the duration of the incident, and the geographical area affected.

The Bill will expand the types of incidents that are reportable, in some cases extending to incidents that have had or are likely to have a “significant impact” in the UK.

In addition, the Bill will impose an obligation on OESs, DSPs, and managed service providers to notify customers that are likely to be “adversely affected” by the incident, taking into account the level of any disruption, any impact on that customer’s data, and any impact on their other systems

3. Supply chain security for OESs will be issued by creating a new category of “critical suppliers”

The cybersecurity Bill would permit competent authorities responsible for overseeing OESs and DSPs to designate—subject to a consultation process—“critical suppliers,” i.e., individuals or organizations that rely on network and information systems to provide goods or services to an OES or DSP, for whom an incident would have the potential to cause disruption to the provision of an essential service that is likely to have a “significant impact on the economy or day-to-day functioning of society” in the UK.

As drafted, the Bill does not impose specific obligations on critical suppliers.

4. Increased fines and enhanced powers for competent authorities

The Bill empowers competent authorities to share information related to incidents among themselves, with law enforcement, with GCHQ, and with OESs, DSPs, managed service providers, and critical suppliers where necessary and may include foreign competent authorities.

The Bill would also amend the NIS Regulations to set out in more detail the powers of competent authorities to demand information from covered providers, carry out inspections and take enforcement action.

5. More empowering role for Govt in UK for cybersecurity regulation in the future

Parts 3 and 4 of the Bill establish a framework for the UK Government to set both the broad strategic direction for competent authorities’ oversight and enforcement of cybersecurity, and to impose more granular obligations on covered providers.

By empowering the bill states that any issue codes of practice, setting out more detail on the measures covered providers could take to comply with their obligations under the NIS Regulations. This also means the Government requires to maintain a statement of its strategic priorities in relation to cybersecurity. This includes a framework for imposing obligations on providers for national security purposes.

The cyber security bill in alignment to NIS2 if enacted, it will represent the most comprehensive update to the UK’s cybersecurity legal framework in years, with far-reaching implications for businesses operating in the UK market. The current cybersecurity landscape and cyber threat increases the bill’s significance to national security and the UK government’s stated priority, it is likely to receive expedited consideration.

Key provisions the cyber security bill has adapted keeping the scope of work for managed service providers, incident reporting and regulated entities

The Bill would expand the scope of the UK NIS to cover certain managed service providers and critical suppliers and the scope of covered operators of essential services (OESs) to include data center operators and load control providers. The Bill would create a new classification of “managed service providers,” with specific obligations (e.g., registration requirements) for “relevant managed service providers” (RMSPs). 

The Bill would also create a category of “critical suppliers.” Regulatory authorities would designate critical suppliers under certain circumstances, specifically where an entity uses network or information systems to supply goods or services to an OES and an incident disrupting the entity could significantly impact the UK. 

The Bill would both expand existing OES incident reporting requirements and create separate regulatory and customer notice obligations for data center operators, relevant digital service providers (RDSPs) and RMSPs.

The Bill would require that after an OES incident, the OES notify not only the relevant sectoral regulator but also the NCSC. The scope of reportable OES incidents would be broadened to include those that affect the operation or security of the IT systems relied on to provide the essential service.

Separately the Bill would add a subsector for “data infrastructure” that includes certain data center operators. These data center operators would be subject to unique reporting requirements. The Bill would also add “large load controllers” to the existing electricity subsector. This includes electrical load controllers with potential electrical control of at least 300 MW.

Conclusion:

Many of these concepts align, at least in part, with the EU NIS 2. NIS 2 also regulates managed service providers, critical entities and data centers, although it lacks a category specifically for large load control services.

Growing cyber attacks in recent months that incurred losses for organization’s like Marks & Spenser, Jaguar Land rover which cost millions to recover from losses, the corporates have welcomed the move to strengthen legislation and regulatory powers to help drive up the level of defense and resilience across critical national infrastructure.

The UK government’s planned National Cyber Strategy refresh will articulate a vision – and agreed collective action in partnership with businesses, devolved governments, regulators. 

The new bill will secure UK more against cyber threats and lower disruption rates to local services and businesses including faster response against emerging threats.

(Sources: UK cybersecurity bill brings tougher rules for critical infrastructure | CSO Online)

Scroll to top