- In May 2026, Palo Alto Networks disclosed CVE-2026-0300, a critical flaw in its firewall software that state-sponsored attackers had been exploiting for four weeks prior to public disclosure. A second vulnerability, CVE-2026-0257, was confirmed under active exploitation in late May. Both were added to CISA's Known Exploited Vulnerabilities catalog.
- Both flaws shared one precondition: an internet-facing service with a fixed, findable address. That condition is not a bug. It is how perimeter security devices are designed to work. Patching either CVE closes the specific flaw. The underlying exposure stays.
Key Facts
- CVE-2026-0300: critical remote code execution flaw in the User ID authentication portal of PAN-OS. CVSS 9.3 out of 10. Actively exploited since April 9, 2026, four weeks before public disclosure. No credentials required to trigger it.
- CVE-2026-0257: authentication bypass in Palo Alto's GlobalProtect VPN. CVSS 7.8 out of 10. Active exploitation confirmed from at least May 17, 2026, according to security firm Rapid7.
- CISA added both CVEs to its Known Exploited Vulnerabilities catalog and ordered federal agencies to patch CVE-2026-0300 by May 9 and CVE-2026-0257 by June 1.
- Patches are now available for both vulnerabilities across all supported PAN-OS versions.
Why It Matters
Palo Alto Networks firewalls protect federal agencies, defense contractors, banks, hospitals, and power grids worldwide. The company is the world's largest cybersecurity vendor by revenue. When CISA describes a flaw in that product as "a frequent attack vector for malicious cyber actors" that "poses significant risks to the federal enterprise," it is not routine language.
The deeper issue is pattern, not incident. Palo Alto firewalls faced actively exploited vulnerabilities in 2024, 2025, and now twice within a single month in 2026. As Cybersecurity Dive reported in a broader analysis: when security device flaws are exploited, it is not the vendors that get hit. It is their customers.
What Happened
CVE-2026-0300 is a flaw in the part of PAN-OS responsible for identifying users who try to connect to the network (User ID Authentication Portal). An attacker who could reach that service from the internet, with no username or password, could send a specially crafted request and take complete control of the firewall. According to BleepingComputer and Palo Alto's Unit 42 threat intelligence team, exploitation began April 9, 2026. Within roughly a week, attackers achieved full access, cleared device logs to erase evidence, probed internal identity systems, and installed backdoors for persistent access.
When security teams took the primary firewall offline, the attackers adapted. They generated a flood of login traffic to trigger automatic failover to a backup device, then compromised that second firewall as well. Two separate devices, one campaign.
Less than a month after patches for CVE-2026-0300 shipped, security firm Rapid7 confirmed that a second Palo Alto flaw, CVE-2026-0257, was already being exploited. This one targeted the VPN login system. Attackers did not break the software. They forged a login token the system accepted as legitimate. According to Rapid7, exploitation was observed across multiple enterprise environments before the vulnerability's severity rating was updated.
Technical Cause
CVE-2026-0300 is a buffer overflow: a class of flaw where software writes data outside the memory space it was allocated, which can be exploited to run arbitrary code on the affected system (User ID Authentication Portal). In this case, an unauthenticated attacker could trigger it with a single crafted network packet, gaining root-level access (complete administrative control) over the firewall.
CVE-2026-0257 is an authentication bypass in Palo Alto's GlobalProtect VPN. In certain configurations, the firewall uses a token called an authentication override cookie to recognize returning users. Attackers found they could produce a convincing fake version of this token using information the firewall's own configuration exposed, bypassing login without exploiting any software flaw in the traditional sense.
Governance and Risk Implications
1. Your firewall is itself an attack surface.
Any device that sits at the network boundary, holds a public internet address, and responds to unauthenticated requests can be targeted. The device protecting the network is also one of the most attractive entry points for those trying to get in.
2. A four-week exploitation window happened before a patch existed.
CVE-2026-0300 was actively exploited from April 9. Patches arrived May 13. Organizations with no controls beyond patch management had over a month of exposure with nothing to apply. Sophisticated actors routinely find and weaponize vulnerabilities before vendors are aware. This gap is structural, not unusual.
3. Compromising the firewall undermines everything behind it.
An attacker with full control of a network security device can modify or disable security policies, observe and intercept traffic, and move into the protected network. Intrusion detection and access controls that depend on the firewall's integrity cannot reliably catch activity originating from a device they trust.
4. The attackers deleted the logs.
After gaining access through CVE-2026-0300, the threat actors removed device logs and crash reports. If audit records live only on the compromised device, there may be no forensic evidence of what happened. Out-of-band logging, where audit data is sent to a separate system the compromised device cannot reach, is the control this incident specifically validates.
Secure Architecture Response
The immediate steps are clear: patch both CVEs, restrict portal and VPN access to internal trusted IP ranges, and verify that audit logs are being sent out-of-band. These are the right actions to take now.
The harder question is architectural. CVE-2026-0300 needed a reachable authentication portal. CVE-2026-0257 needed a reachable VPN login endpoint. Both exploited the same precondition: an internet-facing address that an attacker could find before any authentication took place. That is not a configuration mistake. It is a structural property of how perimeter security is designed to work.
An architecture in which network security infrastructure has no fixed, findable address on the public internet removes that precondition entirely. There is no portal to probe. There is no VPN endpoint to test for forged cookies. This is the architectural position Entropya's Encrypted Network (EEN) is designed to establish. Using patented SDPN technology, EEN delivers Digital Camouflage: infrastructure with no fixed public address, no open ports, and no internet-reachable authentication surfaces. EEN complements or replaces VPNs, firewalls, and proxies depending on the architecture, with post-quantum encryption applied end to end. After two exploited CVEs in one month, the relevant question is not only which patches are applied. It is which services remain findable to anyone with a scanner.
Assess Your Perimeter Exposure
Entropya works with security teams to assess which infrastructure services remain internet-reachable, and what an architectural shift toward reduced discoverability would mean for their specific environment.
Frequently Asked Questions
CVE-2026-0300 is a buffer overflow in the part of Palo Alto's PAN-OS software that manages network access for users the firewall cannot automatically identify. Buffer overflow is a class of flaw where software writes data outside the memory space it was given, allowing an attacker to take control of the affected system. Any attacker who could reach the service over the internet could do so without a username or password. The CVSS severity score of 9.3 out of 10 reflects both the ease of exploitation and the level of access it grants: complete control of the device. Full technical details are in BleepingComputer's reporting.
CVE-2026-0257 is an authentication bypass in Palo Alto's GlobalProtect VPN: attackers found a way to log in without valid credentials. The VPN uses a token called an authentication override cookie to recognize users it has already verified. The flaw allowed attackers to create a convincing fake version of this token in certain configurations, gaining unauthorized VPN access to protected networks. According to BleepingComputer, Rapid7 described it as having "significant impact to affected organizations" given its position as an edge-facing enterprise VPN.
After gaining root access through CVE-2026-0300, the attackers cleared device logs and crash reports stored on the firewall itself. This removed on-device evidence of the intrusion. If an organization relies on the firewall to store its own audit records, it may have no recoverable forensic evidence of whether it was compromised during the active exploitation window. Out-of-band logging, where audit data is continuously sent to a separate system that a compromised device cannot access or modify, is the governance control this incident specifically validates.
Every device that sits at the network boundary and responds to requests from the public internet has an attack surface: a findable address, open ports, and services that process incoming data before any user is verified. The more widely deployed the device, the higher the return for an attacker who finds a flaw in it. Palo Alto is not alone in this respect. Fortinet, Cisco, Ivanti, and other perimeter security vendors have all faced similar exploited vulnerabilities in recent years. The frequency reflects a structural property of the perimeter model: something must sit at the edge and respond to external requests. That something can always be found.
Apply patches for both CVE-2026-0300 and CVE-2026-0257 across all affected PAN-OS versions. Restrict the authentication portal and GlobalProtect VPN endpoint so they are reachable only from trusted internal IP ranges. Verify that audit logs are being sent to an out-of-band system. For the full list of affected versions and patches, refer to Palo Alto Networks' official security advisories and CISA's Known Exploited Vulnerabilities catalog.