CVE-2026-0300 in Palo Alto Networks PAN-OS: Actively Exploited Zero-Day Added to CISA KEV

📅 May 08, 2026 🔴 Exploit Risk: 0.260 📊 Intelligence Score: 53/100 📰 2 sources synthesized

TL;DR — Read this first

A remote code execution (RCE) vulnerability, CVE-2026-0300, affects Palo Alto Networks PAN-OS.
CONFIRMED: The vulnerability is under active exploitation and has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog.
Immediate investigation of exposed PAN-OS instances for signs of compromise is required. Patching should be prioritized as soon as updates are available.

Intelligence Metadata

First Reported Byportal.auscert.org.au

Outbreak Velocity740 minutes spread to 2 unique domains

Consensus2 sources across 2 unique domains

CVSS Score9.3 (Reported)

EPSS Score0.14897 (85.1st percentile)

CISA KEV StatusConfirmed

Exploit Risk Score0.2596

Race LabelZERO-DAY RACE

Technical Analysis

CVE-2026-0300 is a remote code execution (RCE) vulnerability in Palo Alto Networks' PAN-OS. The specific vulnerability class and preconditions for exploitation are not detailed in the available intelligence. However, reporting indicates that successful exploitation allows an attacker to gain root-level access to the underlying operating system of the affected device. This level of access would grant an attacker complete control over the network security appliance, enabling traffic interception, lateral movement, and data exfiltration.

CONFIRMED evidence from CISA and REPORTED information from security news outlets indicate the exploit is being used in the wild for espionage campaigns. The high reported CVSS score of 9.3, combined with root-level access, suggests the vulnerability is likely unauthenticated and remotely triggerable, affecting the network perimeter directly. The exact attack vector remains unspecified.

Affected Systems

Vendor: Palo Alto Networks

Affected Versions:

PAN-OS (Specific versions not provided in source intelligence)

Exposure: Publicly facing PAN-OS instances, which function as network perimeter security devices.

Blast Radius: High. PAN-OS is a widely deployed enterprise firewall and network security platform. Compromise of these devices can undermine an organization's entire network security posture.

Intelligence Context

The addition of CVE-2026-0300 to the CISA KEV catalog is the primary driver for prioritization. This action provides CONFIRMED evidence of active, in-the-wild exploitation. The 'ZERO-DAY RACE' label indicates that attackers were exploiting this vulnerability before a patch was available. The EPSS score of 0.14897 is relatively low, which is typical for targeted, non-widespread zero-day exploitation where predictive models have not yet ingested sufficient public exploit data. Defenders must disregard the low EPSS score and prioritize action based on the KEV status, which reflects observed reality over predictive probability.

Remediation & Defense

Investigate exposed assets immediately. Hunt for signs of compromise based on the detection hints provided. Apply patches immediately upon release by the vendor.

Patch Status: Not available

Patch Version: Not available. Monitor vendor advisories for security updates.

Workarounds:

None specified in source intelligence. Monitor vendor advisories.

Detection Hints:

Monitor for anomalous processes or unexpected reboots on PAN-OS appliances.
Inspect network traffic for unusual outbound connections originating from the PAN-OS management interface.
Review device logs for unauthorized configuration changes or administrative logins.

Source Timeline

portal.auscert.org.au — First reporter
thehackernews.com — Corroborating report
cisa.gov/kev — Official exploitation confirmation

CVE-2026-0300 palo-alto-networks pan-os vulnerability rce zero-day kev espionage