Estimated Reading Time: 3 minutes

Key Takeaways

• Critical zero-day vulnerability (CVE-2026-0300) identified in Palo Alto Networks’ PAN-OS.
• Flaw allows unauthenticated attackers to execute commands as root.
• Active exploitation is ongoing, particularly targeting internet-exposed portals.
• Security fixes will be released between May 13 and May 28, 2026.
• Organizations should restrict access to vulnerable components immediately.

Context / Background

Palo Alto Networks has announced a critical zero-day vulnerability affecting its PAN-OS firewalls, which allows unauthenticated attackers to execute arbitrary commands as the root user on vulnerable devices. This major security flaw is already being actively exploited in the wild.

Details of the Vulnerability

The vulnerability stems from a buffer overflow flaw in the User-ID Authentication Portal component of PAN-OS, the operating system used on Palo Alto Networks’ PA-Series and VM-Series firewalls. This flaw permits remote, unauthenticated attackers to send specially crafted packets that enable remote code execution (RCE) with root privileges.

Key Details

On May 5, 2026, Palo Alto Networks internally identified the zero-day and publicly disclosed it the following day, recognizing limited exploitation at the time. By May 6, 2026, the company released a full security advisory detailing the buffer overflow vulnerability and outlining affected PAN-OS versions.

The vulnerability has a critical CVSS v4 score of 9.3, reflecting its severe impact. Additionally, shortly after the announcement, a public proof-of-concept (PoC) exploit was released, further amplifying the risks associated with this vulnerability.

Affected Devices

As specified in the advisory, only PA-Series hardware firewalls and VM-Series virtual firewalls are affected if they have the User-ID Authentication Portal enabled and susceptible configurations in place. Specifically, these devices must have an interface management profile with “response pages” enabled attached to an L3 interface that can receive untrusted or internet traffic. Affected PAN-OS versions include various releases across branches 10.2, 11.1, 11.2, and 12.1.

Impact

The implications of this zero-day vulnerability are significant for any organization using vulnerable Palo Alto firewalls, particularly those with publicly exposed User-ID portals. If compromised, attackers could gain complete control over the firewalls, manipulate security rules, and execute lateral movement within networks.

The attack requires no user interaction or valid credentials, posing a risk to a wide array of organizations, from large enterprises and service providers to government institutions.

In the context of India, where Palo Alto Networks’ firewalls are widely deployed in sectors such as banking, telecommunications, and government agencies, the potential for devastating breaches is pronounced. The recent disclosure points to possible exploitation by state-sponsored actors, escalating national security concerns, especially given the ongoing geopolitical tensions.

What’s Next

Palo Alto Networks has announced that security fixes for the vulnerability will be rolled out in stages between May 13 and May 28, 2026. Organizations are urged to monitor for updates and apply patches as soon as they are available to mitigate the risks associated with this critical vulnerability.

Furthermore, it is advisable to review the configurations of firewalls and restrict access to the User-ID Authentication Portal to trusted internal IPs or disable it entirely where feasible, ensuring that these systems remain safe from potential exploitation.

Organizations must remain vigilant and prepare for the possibility of mass exploitation, especially considering the convergence of rapid weaponization and the presence of public exploit codes available on the internet.

FAQ

What is the CVE number for this vulnerability?

The CVE number for this vulnerability is CVE-2026-0300.

How can organizations protect themselves?

Organizations should apply security patches as soon as they are available and restrict access to the User-ID Authentication Portal.

When will security fixes be available?

Security fixes will be rolled out in stages between May 13 and May 28, 2026.

Ransomware Gang Exploits Check Point VPN Vulnerability, Urgent Fix Order Issued

Context / Background

Key Details

Impact

What’s Next

FAQ Section

Hackers allege theft of 570GB from Red Hat’s consulting repositories, raising concerns over customer exposure.

Red Hat, the open-source software giant owned by IBM, has confirmed a security incident after hackers claimed to have stolen massive amounts of data from its consulting division’s private GitLab repositories. The group behind the attack, calling itself the “Crimson Collective,” alleges that it exfiltrated 570GB of compressed data from over 28,000 internal projects, including sensitive customer documents.

The hackers say they obtained around 800 Customer Engagement Reports (CERs) — detailed consulting documents that may contain network diagrams, architecture plans, credentials, and configuration data from Red Hat’s enterprise clients. Such reports, if authentic, could potentially act as blueprints for attackers to target Red Hat’s customers directly.

Evidence of the breach was shared on Telegram, where the group published file trees, project lists, and snippets from the stolen repositories. They also claimed to have discovered authentication tokens, database URIs, and sensitive secrets embedded within code, which they allegedly used to access downstream customer infrastructure.

Red Hat acknowledged the security incident, confirming that its consulting arm’s GitLab instance was compromised. The company said it has already initiated remediation measures but emphasized that it has found no evidence of a wider compromise affecting Red Hat products, services, or its software supply chain.

In a statement, Red Hat noted:

“We take security incidents very seriously and are actively investigating. At this stage, we cannot verify the attackers’ specific claims, but we are engaging with customers as needed and implementing precautionary steps.”

The Belgian Centre for Cybersecurity has issued an advisory urging organizations that have worked with Red Hat Consulting to rotate credentials, revoke exposed tokens, and review shared configurations. Security experts warn that the leaked CERs could give malicious actors a direct roadmap into client environments.

Industry observers are also raising concerns about Red Hat’s incident response. The attackers allege that their initial disclosures were dismissed or mishandled through routine vulnerability ticketing processes, which may have delayed mitigation.

Adding to the urgency, Red Hat also disclosed a separate critical vulnerability (CVE-2025-10725) in its OpenShift AI platform. With a CVSS score of 9.9, the flaw could allow low-privileged users to escalate to full administrator rights. The company has published mitigation guidance and is working on patches.

The dual challenges — a consulting breach and a critical product vulnerability — highlight the ongoing cybersecurity pressures facing major enterprise vendors. While Red Hat insists its core offerings remain secure, customers are being urged to adopt a cautious approach, particularly those with consulting engagements between 2020 and 2025.

For now, the true scale of the breach remains uncertain. If Crimson Collective’s claims are verified, it could become one of the most serious security incidents to hit the open-source ecosystem in recent years.