Palo Alto Firewall Exploit Active Now: What Your Business Needs to Know

Your firewall sits between your business and the internet, controlling everything flowing in and out: customer data, payment systems, email, files. If someone takes control of it, the consequences ripple through everything.

Palo Alto Networks has confirmed that a critical vulnerability in their PAN-OS firewall software is being actively exploited right now. The flaw, tracked as CVE-2026-0300, is a buffer overflow in the User-ID Authentication Portal — the part of the firewall designed to identify who’s connecting. An attacker who finds that portal accessible from the internet can send specially crafted data to gain full root-level access to the firewall, no credentials needed. CISA, the US cybersecurity regulator, added it to their known-exploited vulnerabilities list on 6 May, confirming real-world attacks are already happening.

Does this affect your business?

Most businesses across North Wales don’t manage their own Palo Alto firewalls directly — a managed IT provider does that on their behalf. That’s generally a good thing, but it also means the question shifts: has your provider checked this already, or are they waiting to be asked?

Palo Alto has been clear that the risk drops significantly if the authentication portal is restricted to internal networks only, rather than being accessible from the open internet. That’s a configuration check that takes minutes. The company has also promised permanent patches rolling out between 13 and 28 May 2026.

What to do before the week is out

Ask one straight question: is the User-ID Authentication Portal on our Palo Alto firewall restricted from internet-facing access? A straightforward answer should come back quickly. If the answer involves “probably” or “I’ll need to check and get back to you”, that tells you something useful about how actively your setup is being watched.

It’s also worth asking what the proactive notification process looks like for advisories like this one. If you hadn’t heard about CVE-2026-0300 before reading this, that’s worth noting.

There’s a second, smaller issue worth a mention while we’re here: CVE-2026-40010 in Apache Wicket, a framework used in some older business software. It allows an attacker to hijack a logged-in session by tricking the application into accepting a session ID they’ve already set. If you run any older or custom business applications, it’s worth asking your software vendor whether Apache Wicket is part of their stack and whether they’ve patched to version 10.9.0.

Most businesses won’t have heard about either of these this week. The ones that ask the right questions and get clear answers are the ones that stay ahead of it. If you’re running Palo Alto firewalls or older in-house software and want a second opinion on where things stand, Dragon Digital handles firewall audits and vulnerability response for businesses across North Wales — we’re tracking this one and happy to give you a straight answer.