The IT Nerd

Palo Alto Networks has disclosed a critical vulnerability in multiple PAN-OS versions, tracked as CVE-2026-0300 (CVSS 9.3), that allows unauthenticated remote attackers to execute arbitrary code with root privileges on affected firewalls. The flaw is a buffer overflow vulnerability impacting the User-ID Authentication Portal service on PA-Series and VM-Series firewalls.

Palo Alto confirmed the vulnerability is being actively exploited in limited attacks, specifically targeting systems where the Authentication Portal is exposed to untrusted IP addresses or the public internet. 

Palo Alto said fixes will begin rolling out starting May 13, with additional patches planned later in the month. Until patches are available, the company is advising organizations to restrict Authentication Portal access to trusted internal networks or disable the feature entirely if not required. Prisma Access, Cloud NGFW, and Panorama are not affected.

Underscoring how critical this is, the CISA has added the vulnerability to its KEV catalog May 6th.

Jacob Warner, Director of IT, Xcape, Inc.:

   “The disclosure of CVE-2026-0300 is a sobering reminder that the network edge remains the highest-value target for state-sponsored espionage. By the time Palo Alto Networks released this advisory, the suspected threat actor CL-STA-1132 had already spent nearly a month refining their exploit, moving from failed attempts on April 9 to successful root RCE by mid-April. This is not a theoretical vulnerability; it is an active, surgical operation where attackers are using the firewall’s own nginx processes to drop tunneling tools like EarthWorm and ReverseSocks5.

   “For leadership, the takeaway is that a “critical” CVSS score on a firewall often means the attacker is already behind your lines before the alert even fires. With patches not arriving until May 13, the only viable defense is immediate exposure reduction. If your User-ID Authentication Portal is reachable from the public Internet, you are essentially providing an unauthenticated root shell to anyone with the right packet sequence. You must audit your Interface Management Profiles now: restrict portal access to trusted internal zones and ensure that “Response Pages” are disabled on all Internet-facing interfaces. In 2026, if you aren’t actively shrinking your edge attack surface, you’re just waiting for the next zero-day to do it for you.

   “This bug was a zero-day for 26 days before we even gave it a name. In the time it took us to get an advisory, the bad guys were already halfway through the Active Directory.”

Denis Calderone, CTO, Suzu Labs:

   “This one is a little different from the management interface exposures we’ve been warning about with other edge devices like Fortinet, SonicWall, and Cisco. This vulnerability is in the User-ID Authentication Portal, which is the page users hit to authenticate through the firewall. In a lot of deployments, that portal is internet-exposed on purpose because that’s how it’s designed to work. That makes the mitigation more complicated than just “take it off the internet,” because for some organizations, it’s there for a reason.

   “That said, there are a lot of environments where the exposure isn’t necessary. If your Authentication Portal is used for local captive portal authentication, guest WiFi, or BYOD segments, it only needs to be reachable from those specific interfaces. Restrict it to those zones and block everything else. If the portal serves branch offices or remote sites over SD-WAN or site-to-site tunnels, you can restrict access to known source IP ranges for those branches. You don’t need to open it to the entire internet just because some of your traffic originates externally.

   “The harder scenario is organizations using the portal for VPN-less remote authentication, where users could be connecting from anywhere. You can’t restrict by source IP in that case. Those organizations need to look at migrating remote users to GlobalProtect or Prisma Access, both of which are not affected by this CVE. If that’s not possible before May 13, enable Threat ID 510019 if you have a Threat Prevention subscription on PAN-OS, and understand that you’re carrying real risk until the patch drops.

   “Nation-state actors have had nearly a month with this one. They’ve been deploying tunneling tools and cleaning logs immediately after compromise. If your Authentication Portal has been internet-exposed, don’t just apply the workaround and move on. Assume compromise and hunt for it.”

Rajeev Raghunarayan, Head of GTM, Averlon:

   “CVE-2026-0300 is an unusual situation: active exploitation confirmed, added to KEV, and for many systems there is no patch available yet. The only immediate option is to restrict the Authentication Portal to trusted internal zones or disable it entirely. The silver lining is that the vulnerable service is not enabled by default, and organizations following best practice by keeping the Authentication Portal restricted to trusted internal networks are at much lower risk.

   “A perimeter firewall is a gateway into the environment. When the gateway is owned, access is owned. With root-level access on a perimeter control point, the concern is no longer just the vulnerable service itself, but the visibility, access, and control that position can provide into the systems behind it.

   “Even for organizations that have already applied the workaround, the important question is what was potentially exposed during that window and what activity should now be treated as suspicious.”

Given how long this has been out there, and the fact that it is being exploited, this is a drop everything and patch now sort if thing. Which is of course the worst kind of situation to be in.

Palo Alto Networks Unit 42 announced a partnership with Kevin Mandia‘s new offensive security company Armadin, to scale ability to identify and remediate AI-driven exposures and better protect organizations.

You can read all the details here: Unit 42 Expands Frontier AI Defense with Armadin Partnership

Palo Alto Networks has shared new research regarding how effective autonomous AI offensive capabilities are against cloud environments. While Unit 42 did not use frontier AI models in testing, this research is a crucial look at how powerful AI models may ultimately be weaponized in cyberspace.

Building on the November 2025 Anthropic disclosure that showed AI acting as the operator in an espionage campaign, Unit 42 answers the question: Can AI systems operate autonomously end-to-end to attack cloud environments, or do they still require human guidance?

Unit 42’s research & findings include:

• Unit 42 created “Zealot,” a multi-agent penetration testing proof-of-concept designed to see if AI could independently take down a hardened cloud environment without any human oversight.
• In sandboxed GCP tests, the multi-agent system autonomously executed a full attack chain, including: Server-Side Request Forgery (SSRF) exploitation, Metadata service credential theft, service account impersonation and privilege escalation and BigQuery data exfiltration.
• AI-driven attacks have reached functional maturity and current LLMs can chain attacks with minimal human guidance. The window between initial access and data loss is shrinking as tools like Zealot leverage misconfigurations faster and more consistently than a human attacker. 
• However, creating a purely autonomous multi-agent cyber attack was not entirely possible (manual oversight was needed to prevent the AI from irrelevant rabbit-holing).
• Current security detection models optimized for human attack patterns will struggle to catch agent-based operations that chain actions across services in seconds.

You can read the research here: https://unit42.paloaltonetworks.com/autonomous-ai-cloud-attacks/

The release of the newest frontier AI models marks a turning point for cybersecurity. Late last week, Palo Alto Networks chief product & technology officer Lee Klarich published a stark warning about what this means for the industry. 

Some additional context:

• Palo Alto Networks conducted early testing of the latest frontier AI models, including Anthropic’s Mythos model as part of Project Glasswing and OpenAI’s latest models as part of the Trusted Access for Cyber program. 
• As a result of that testing, Lee contends we are officially moving from AI-assisted threats to autonomous, AI-driven attacks. The resulting “vulnerability deluge” means human-speed security is no longer enough.
• Palo Alto Networks launched Unit 42 Frontier AI Defense. Instead of waiting for an AI-driven attack, this new service proactively finds and validates an organization’s exposures using the latest frontier AI models before adversaries do, transforming security in the process.

You can read more here: https://www.paloaltonetworks.com/blog/2026/04/defenders-guide-frontier-ai-impact-cybersecurity/

Palo Alto Networks Unit 42 published new research on a security flaw in Google’s Vertex AI Engine,

Unit 42 researchers found that Google Cloud’s Vertex AI Engine is giving AI agents far too much access by default. This critical discovery highlights the challenges of applying foundational security standards in the AI era.

Key Takeaways:

• Significant Insider Threat: The research details how Google Cloud’s Vertex AI Engine is giving AI agents far too much access, by default. The report reveals that a misconfigured or compromised AI agent deployed via Google Cloud Platform’s (GCP) Vertex AI Agent Engine can be weaponized to compromise an organization’s cloud environment. This level of access constitutes a significant security risk, transforming the AI agent from a helpful tool into a potential insider threat.
• The Big Picture: The rapid deployment of AI agents introduces a whole new class of overprivileged insiders. This comes as 90% of organizations are already facing pressure to loosen access control to support AI-driven automation.

You can read the research here:http://unit42.paloaltonetworks.com/double-agents-vertex-ai 

While less sophisticated attackers are using LLMs to help write functional malware, we’re still seeing attackers having challenges deploying local models to a target environment or embedding into a malware sample for local decision making. This research analyzes two samples of malware leveraging AI for remote decision making: 

1. AI Theater: An Infostealer’s Illusory LLM Features: A trio of highly similar .NET information stealer samples that incorporate the OpenAI GPT-3.5-Turbo model via HTTP API. We will explore the implementation and assess the practical impact of its AI integration.
2. AI-Gated Execution: Malware Dropper’s LLM-Based Environment Assessment: A malware dropper written in Golang that leverages an LLM to evaluate a system and provide a decision on whether to proceed with an infection. The sample was initially highlighted on X as a dropper for Sliver malware.

Some key takeaways:  

• The current state of AI in malware is characterized by experimentation and uneven integration, but the potential for AI to aid in malware creation highlights a concerning issue of lowering the barrier to entry for less-skilled threat actors. 
• Unit 42 anticipates a future where AI plays a greater role in both malware creation and execution. As local model deployment becomes more feasible, we may see malware samples with embedded AI capabilities (especially code generation) that can more dynamically adapt to their environment, evade detection and optimize malicious activities in real-time.
• The rise of AI-assisted malware could manifest in the form of increased feature cadence and reliability. It will be crucial to monitor these advancements and develop defenses that can effectively counter an evolving AI-driven threat landscape.

You can read the research here: https://unit42.paloaltonetworks.com/ai-use-in-malware

Unit 42 has published its annual Global Incident Response Report (full report available here).The report spotlights key trends from over 750 major cyber incidents managed by Unit 42 across 50 countries, and provides actionable guidance to defend against emerging and notable attack techniques.

Key data from this year’s report: 

• AI has become a force multiplier for threat actors – Attackers moved from AI experimentation to operationalization. Unit 42 saw that with AI, exfiltration speeds for the fastest attacks increased from nearly 5 hours to just 72 minutes (a 4x increase).
• Identity drives initial access –Identity weaknesses played a material role in nearly 90% of our investigations. Agentic identity management makes this challenge even more complex as non-human identities are often over-privileged and inconsistently monitored.  65% of initial access is driven by identity-based techniques such as social engineering, while vulnerabilities account for 22% of initial access in all attacks. 
• Software supply chain risk has expanded to include the misuse of trusted connectivity. Attacks involving third-party SaaS applications have surged 3.8x since 2022, accounting for 23% of all attacks, as threat actors abuse OAuth tokens and API keys for lateral movement.
• Attack complexity is increasing – 87% of intrusions span multiple attack surfaces, with as many as 10 in some complex investigations. Threats are rarely confined to a single environment, and attackers often coordinate actions across endpoints, networks, cloud services, SaaS platforms, and identity systems. This creates complexity by forcing defenders to keep visibility across all of these areas simultaneously.
• The browser is a primary battleground – Nearly 48% of incidents included browser-based activity. That reflects how often modern attacks intersect with routine workflows like email, web access, and day-to-day SaaS use, turning normal user behavior into an attack vector.
• Extortion is moving beyond encryption – Encryption-based extortion declined to 78% of incidents, down from 92% the year before, as more attackers skip encryption and move straight to data theft and disruption. From the attacker’s perspective, it’s faster, quieter, and creates immediate pressure without the signals defenders once relied on to detect ransomware attacks.

Additionally, Palo Alto Networks announced Managed XSIAM 2.0 (MSIAM) the managed evolution of Cortex XSIAM SOC transformation platform. As the Incident Response Report highlights, attacks can now unfold in under an hour, and MSIAM delivers 24/7 AI-driven SOC operations with continuous and high-speed threat hunting, response, and remediation.

Palo Alto Networks today announced the next generation of its NextWave Partner Program, fundamentally redefining partner profitability for the AI era. As the industry moves toward AI-driven security, NextWave moves beyond transactional volume to reward partners who deliver platform-centric security outcomes.

The evolved program enables the entire partner ecosystem to move away from the ‘point-product’ trap. By focusing on platformization, Palo Alto Networks enables partners to integrate their customers’ security stacks across the network, cloud, and SOC—reducing complexity while increasing high-margin, partner-led service opportunities.

Available to partners now, the new NextWave Partner Program is built on direct feedback from the global partner community, focusing on three transformative benefits:

• Enhancing Partner Margins: Streamlined rebates focus on Next-Generation Firewalls (NGFW), Next-Generation Security (NGS) and platformization to reward technical expertise and maximize profitability.
• Accelerating Deal Velocity: Enhanced Configure, Price, Quote (CPQ) and new automated deal registrations, combined with improved service delivery tools, to reduce friction and speed up time to close.
• Reinvesting For Growth: A new Partner Development Fund (PDF) reinvests earned rebates directly into partner-led demand generation, training, and solution development to drive differentiation and accelerate joint customer success.

With Tailored Paths for Every Partner:

• Managed Security Service Providers (MSSPs): Predictable, tiered pricing to build high-margin managed services to ensure accelerated outcomes.
• Distributors: Enhanced capabilities, governance and support for Distributor Managed Partner growth.
• Global System Integrators (GSIs): A “Global Path” rewarding multi-theater influence and strategic consulting with a white glove experience, coming later this year.
• Authorized Services (ASC & APS): Real-time deployment assistance to ensure “first-time-right” customer implementations.

As enterprises increasingly rely on AI to run digital operations, protect assets, and drive growth, success depends on one critical factor: trusted, high-quality, real-time data. Palo Alto Networks® (NASDAQ: PANW), the global cybersecurity leader, today announced it has completed its acquisition of Chronosphere addressing a core challenge of the AI era: the inability to see and secure the massive data volumes running modern businesses.

Chronosphere, a Leader in the 2025 Gartner® Magic Quadrant™ for Observability Platforms,¹ was purpose-built to handle this scale. While legacy tools break down in cloud-native environments, Chronosphere gives customers deep visibility across their entire digital estate. With this acquisition, Palo Alto Networks is redefining how organizations run at the speed of AI — by enabling customers to gain deep, real-time visibility into their applications, infrastructure, and AI systems — while maintaining strict control over data cost and value.

The planned integration of Palo Alto Networks Cortex® AgentiX™ with Chronosphere’s cloud-native observability platform will allow customers to apply AI agents that can now find and fix security and IT issues automatically — before they impact the customer or the bottom line. AI security without deep observability is blind; this acquisition delivers the essential context across models, prompts, users, and performance to move from manual guessing to autonomous remediation.

The Chronosphere Telemetry Pipeline remains available as a standalone solution, enabling organizations to eliminate the ‘data tax’ associated with modern security operations. By acting as an intelligent control layer, the pipeline can filter low-value noise to reduce data volumes by 30% or more and has been shown to require 20x less infrastructure than legacy alternatives. This will be key to Palo Alto Networks Cortex XSIAM® strategy, ensuring customers can scale their security posture—not their spending—as they transition to autonomous, AI-driven operations.

 Unit 42 has published research that raises flags on what could be the next big shift in cybercriminals leveraging LLMs for more effective phishing attacks and the next frontier of web attacks. 

Unit 42’s latest research, The Next Frontier of Runtime Assembly Attacks: Leveraging LLMs to Generate Phishing JavaScript in Real Time, details a novel technique where attackers could use LLMs to assemble phishing attacks in the browser at the moment of execution.

Why this is a game-changer for attackers:

• Prompt-Based Obfuscation: Malicious code is hidden within text prompts to bypass network analysis, only “translating” into an attack once it reaches the browser.
• Unique Victim Payloads: The LLM generates a unique, polymorphic variant for every individual victim, making static signatures and blocklists useless.
• Trusted Domain Delivery: Malicious code is transmitted over legitimate LLM service domains, allowing malicious traffic to blend in with trusted API calls.
• Bypassing Guardrails: Attackers can “jailbreak” LLM APIs to deliver malicious snippets under the guise of legitimate code.

The most effective defense against this new class of threat is runtime behavioral analysis that can detect and block malicious activity at the point of execution, directly within the browser. 

Read the blog for more details: http://unit42.paloaltonetworks.com/real-time-malicious-javascript-through-llms