Find notable cyber news and cases, enriched with sources, timelines, and signals.

CISA KEV listing and FCEB firewall directive for CVE-2026-0300

Public Sector Action
First reported
Last updated
Happening score
H score 64
1 unique sources, 1 articles

Summary

Hide ▲

CISA added CVE-2026-0300 to the KEV Catalog and ordered FCEB agencies to secure vulnerable firewalls by May 9, 2026. The federal directive makes the exploited PAN-OS flaw an immediate remediation priority. It matters because the bug enables unauthenticated remote code execution on internet-exposed firewalls that protect sensitive networks.

Related Happenings

CISA adds CVE-2026-20262 to KEV and orders federal fixes

Public Sector Action
H score32 First: 16.06.2026 09:05 Last: 16.06.2026 09:05 Sources 1

About this happening: **CISA** added **CVE-2026-20262** to its **Known Exploited Vulnerabilities (KEV) catalog** and required **Federal Civilian Executive Branch (FCEB)** agencies to apply Cisco's fixe...

CISA KEV update and FCEB remediation deadline

Public Sector Action
H score33 First: 10.06.2026 17:44 Last: 10.06.2026 17:44 Sources 1

About this happening: **CISA** added **three actively exploited vulnerabilities** to the **KEV catalog** and ordered **Federal Civilian Executive Branch agencies** to remediate by **June 23, 2026**. Th...

CISA KEV remediation order for Cisco Catalyst SD-WAN Controller CVE-2026-20182

Public Sector Action
H score59 First: 15.05.2026 08:28 Last: 15.05.2026 08:28 Sources 1

About this happening: **CISA** added **CVE-2026-20182** to the **KEV catalog** and ordered **Federal Civilian Executive Branch agencies** to remediate **Cisco Catalyst SD-WAN Controller** by **May 17,...

CISA KEV order for Copy Fail on federal Linux devices

Public Sector Action
H score33 First: 08.05.2026 10:45 Last: 08.05.2026 10:45 Sources 1

About this happening: **CISA** added **Copy Fail** to the **Known Exploited Vulnerabilities (KEV) Catalog**, making the Linux flaw a federal remediation priority. The agency ordered **federal agencies*...

PAN-OS User-ID Authentication Portal mitigation guidance (CVE-2026-0300)

Advisory/Mitigation
H score77 First: 06.05.2026 09:14 Last: 06.05.2026 09:14 Sources 1

How related: Until security updates are available, the company "strongly" advised customers to secure access to the PAN-OS User-ID Authentication Portal by restricting access to trusted zones only, or by disabling the portal if that's not possible, which mitigates the risk of this issue.

About this happening: Palo Alto Networks issued **mitigation guidance** for **CVE-2026-0300** after the **PAN-OS User-ID Authentication Portal** flaw was reported **exploited in the wild**, leaving pub...

Timeline

  1. 07.05.2026 13:57 1 articles · 2mo ago

    April 9, 2026 failed PAN-OS exploitation attempts

    Exploitation Observed

    Failed exploitation attempts against an Internet-exposed PAN-OS device began on April 9, 2026, marking the start of probing against CVE-2026-0300 before any confirmed compromise.

    Show sources
  2. 07.05.2026 13:57 1 articles · 2mo ago

    Attackers achieve RCE and clean up evidence

    Exploitation Observed

    A week after the initial failures, the attackers achieved unauthenticated remote code execution against the PAN-OS device, injected shellcode, cleared crash kernel messages and nginx crash records, removed crash core dump files, and deployed Earthworm and ReverseSocks5 tunneling tools to sustain access.

    Show sources
  3. 07.05.2026 13:57 2 articles · 2mo ago

    CISA adds CVE-2026-0300 to KEV and orders federal remediation

    Legal Policy Action Update

    CISA added CVE-2026-0300 to the Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch agencies to secure vulnerable firewalls by Saturday midnight, May 9, 2026.

    Show sources
  4. 07.05.2026 13:57 1 articles · 2mo ago

    Palo Alto Networks warns of CVE-2026-0300 exploitation

    Initial Disclosure

    Palo Alto Networks warned customers that suspected state-sponsored hackers had been exploiting CVE-2026-0300 in PAN-OS for nearly a month, said exploitation was limited, noted that Cloud NGFW and Panorama were not affected, and advised restricting the PAN-OS User-ID Authentication Portal to trusted zones or disabling it until patches expected on May 13 became available. Shadowserver also tracked more than 5,400 exposed PAN-OS VM-series firewalls, most of them in Asia and North America.

    Show sources