RSS
Last updated: May 13, 2026 at 5:42 AM UTC
All 208 Vulnerability 72 Breach 41 Threat 88 Defense 7
Tag: palo-alto (2 articles)Clear
vulnerability
CVE-2026-0300
2026-05-06

Palo Alto Networks firewalls have a critical hole that lets attackers run code as root - hackers are already using it, no patch until May 13 (CVE-2026-0300)

Palo Alto Networks confirmed Wednesday that attackers are exploiting a zero-day in its firewall login portal to run code as root on PA-Series and VM-Series firewalls. CVE-2026-0300 (CVSS 9.3) is a buffer overflow in the User-ID Authentication Portal (Captive Portal) that lets unauthenticated attackers send crafted packets and execute code without any login. Palo Alto Unit 42 attributed the activity to CL-STA-1132, a likely state-sponsored cluster that started probing on April 9 and achieved RCE a week later. Attackers deploy tunneling tools and enumerate Active Directory using the firewall's service account. First patches arrive May 13. Shadowserver counts 5,800+ exposed VM-Series firewalls.

palo-altopan-oscaptive-portaluser-id-authentication-portalzero-dayactively-exploitedcl-sta-1132unit-42earthwormreversesocks5state-sponsoredroot-rceunpatched
Check
Inventory Palo Alto PA-Series and VM-Series firewalls. Check whether the User-ID Authentication Portal is enabled and reachable from untrusted IPs. Hunt nginx crash logs for evidence of clearing since April 9.
Affected
PA-Series and VM-Series firewalls running PAN-OS with the User-ID Authentication Portal exposed to public internet or untrusted IPs. CVE-2026-0300, CVSS 9.3 (8.7 if portal restricted to internal IPs). Prisma Access, Cloud NGFW, and Panorama are NOT affected. Shadowserver tracks 5,800+ exposed VM-Series instances; thousands more likely sit behind load balancers.
Fix
Restrict the User-ID Authentication Portal to trusted internal networks - this is the primary mitigation until patches arrive. Disable the portal entirely if not strictly required. Block ports 6081 and 6082 from untrusted IPs. Stage May 13 patches: 12.1.4-h5, 11.2.7-h13, 11.1.4-h33, 10.2.10-h36. Treat any compromised firewall as a domain-wide breach starting point - rotate firewall service account credentials.
threat
2026-04-30

Anthropic launches 'Claude Security' for enterprises - the first major defensive product designed to keep up with AI-powered exploits that compress the time-to-attack to minutes

Anthropic launched Claude Security in public beta yesterday, an enterprise tool that scans code repositories for vulnerabilities, rates each finding's severity and confidence, and generates patch instructions that engineers can apply through Claude Code. The launch is direct response to Mythos and similar AI-driven offensive tools that have been compressing the time between vulnerability disclosure and active exploitation - LiteLLM was exploited 36 hours after disclosure last week, LMDeploy in 13 hours the week before. CrowdStrike, Microsoft Security, Palo Alto Networks, SentinelOne, Trend, and Wiz are integrating Claude Opus 4.7 into their platforms.

anthropicclaude-securityclaude-opus-4-7mythosai-defensetime-to-exploitenterprisecrowdstrikemicrosoftpalo-altosentinelonewiz
Check
If your organization holds a Claude Enterprise subscription, evaluate Claude Security against your existing static analysis tools this week.
Affected
Claude Enterprise customers can access Claude Security in public beta now via claude.ai/security or the Claude.ai sidebar. No API integration required. Team and Max access is coming soon. The deeper relevance is for any security team facing the new exploitation cadence: AI-driven offense has shrunk the patch window for several recent disclosures.
Fix
Pilot Claude Security on a non-critical repository first - point it at a side project before pointing it at production code. Scheduled scans give ongoing coverage rather than one-off audits. Pair the output with Claude Code on the Web to work through patches in a single session. For organizations not on Claude Enterprise: evaluate Aisle, Wiz Code, or GitHub Copilot Autofix on confidence rating and false positive rate.