Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

CISA KEV listing and FCEB firewall directive for CVE-2026-0300

Public Sector Action
First reported
Last updated
Happening score
H score 42
1 unique sources, 1 articles

Summary

Hide ▲

CISA added CVE-2026-0300 to the KEV Catalog and ordered FCEB agencies to secure vulnerable firewalls by May 9, 2026. The federal directive makes the exploited PAN-OS flaw an immediate remediation priority. It matters because the bug enables unauthenticated remote code execution on internet-exposed firewalls that protect sensitive networks.

Related Happenings

CISA KEV remediation order for Cisco Catalyst SD-WAN Controller CVE-2026-20182

Public Sector Action
First: 15.05.2026 08:28 Last: 15.05.2026 08:28 Sources 1

About this happening: **CISA** added **CVE-2026-20182** to the **KEV catalog** and ordered **Federal Civilian Executive Branch agencies** to remediate **Cisco Catalyst SD-WAN Controller** by **May 17,...

Open Happening

CISA KEV order for Copy Fail on federal Linux devices

Public Sector Action
First: 08.05.2026 10:45 Last: 08.05.2026 10:45 Sources 1

About this happening: **CISA** added **Copy Fail** to the **Known Exploited Vulnerabilities (KEV) Catalog**, making the Linux flaw a federal remediation priority. The agency ordered **federal agencies*...

Open Happening

PAN-OS User-ID Authentication Portal mitigation guidance (CVE-2026-0300)

Advisory/Mitigation
First: 06.05.2026 09:14 Last: 06.05.2026 09:14 Sources 1

How related: Until security updates are available, the company "strongly" advised customers to secure access to the PAN-OS User-ID Authentication Portal by restricting access to trusted zones only, or by disabling the portal if that's not possible, which mitigates the risk of this issue.

About this happening: Palo Alto Networks issued **mitigation guidance** for **CVE-2026-0300** after the **PAN-OS User-ID Authentication Portal** flaw was reported **exploited in the wild**, leaving pub...

Open Happening

PAN-OS User-ID Authentication Portal buffer overflow actively exploited security flaw (CVE-2026-0300)

Vulnerability
First: 06.05.2026 07:46 Last: 06.05.2026 07:46 Sources 1

How related: Tracked as CVE-2026-0300, this remote code execution security flaw was found in the PAN-OS User-ID Authentication Portal (also known as the Captive Portal) and stems from a buffer overflow vulnerability that allows unauthenticated attackers to execute arbitrary code with root privileges on Internet-exposed PA-Series and VM-Series firewalls.

About this happening: A **PAN-OS** **buffer overflow** in the **User-ID Authentication Portal** is being **actively exploited**, creating **unauthenticated root RCE** risk for **PA and VM series firewa...

Open Happening

CISA KEV action for CVE-2026-31431 and FCEB remediation

Public Sector Action
First: 03.05.2026 09:26 Last: 03.05.2026 09:26 Sources 1

About this happening: CISA added **CVE-2026-31431** to its **KEV catalog**, putting **Federal Civilian Executive Branch (FCEB)** agencies on notice to remediate an actively exploited Linux privilege-es...

Open Happening

Timeline

  1. 07.05.2026 13:57 1 articles · 20d ago

    April 9, 2026 failed PAN-OS exploitation attempts

    Exploitation Observed

    Failed exploitation attempts against an Internet-exposed PAN-OS device began on April 9, 2026, marking the start of probing against CVE-2026-0300 before any confirmed compromise.

    Show sources
    Open in new tab
  2. 07.05.2026 13:57 1 articles · 20d ago

    Attackers achieve RCE and clean up evidence

    Exploitation Observed

    A week after the initial failures, the attackers achieved unauthenticated remote code execution against the PAN-OS device, injected shellcode, cleared crash kernel messages and nginx crash records, removed crash core dump files, and deployed Earthworm and ReverseSocks5 tunneling tools to sustain access.

    Show sources
    Open in new tab
  3. 07.05.2026 13:57 2 articles · 20d ago

    CISA adds CVE-2026-0300 to KEV and orders federal remediation

    Legal Policy Action Update

    CISA added CVE-2026-0300 to the Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch agencies to secure vulnerable firewalls by Saturday midnight, May 9, 2026.

    Show sources
    Open in new tab
  4. 07.05.2026 13:57 1 articles · 20d ago

    Palo Alto Networks warns of CVE-2026-0300 exploitation

    Initial Disclosure

    Palo Alto Networks warned customers that suspected state-sponsored hackers had been exploiting CVE-2026-0300 in PAN-OS for nearly a month, said exploitation was limited, noted that Cloud NGFW and Panorama were not affected, and advised restricting the PAN-OS User-ID Authentication Portal to trusted zones or disabling it until patches expected on May 13 became available. Shadowserver also tracked more than 5,400 exposed PAN-OS VM-series firewalls, most of them in Asia and North America.

    Show sources
    Open in new tab