Severity: CRITICAL | Source: CISA KEV Catalog | CVE-2026-0300

The Threat

On 6 May 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-0300 to its Known Exploited Vulnerabilities (KEV) Catalog. This is a confirmed, actively exploited out-of-bounds write vulnerability in Palo Alto Networks PAN-OS, the operating system powering Palo Alto's widely deployed next-generation firewalls and network security appliances.

An out-of-bounds write flaw allows an attacker to write data beyond the allocated memory buffer of a process. In a network security appliance like a Palo Alto firewall, this can be weaponized to crash the device, execute arbitrary code, or seize full administrative control of the firewall itself. CISA's inclusion in the KEV Catalog is not theoretical: it confirms that real-world threat actors are exploiting this flaw right now.

The vulnerability affects organizations running unpatched versions of PAN-OS across their perimeter and internal network defenses. Palo Alto Networks firewalls are heavily deployed across East African banking institutions, government ministries, telecommunications providers, and international organizations operating in Kenya, Ethiopia, Somalia, and the broader Horn of Africa region.

Impact Assessment for East African Organizations

Palo Alto Networks is one of the most widely adopted enterprise firewall platforms among large organizations in East Africa. If your organization uses PA-Series, VM-Series, or Prisma Access products and has not applied the relevant patch, your perimeter defense may already be compromised.

For Kenyan commercial banks and SACCOs operating under Central Bank of Kenya (CBK) cybersecurity guidelines, a firewall compromise represents a Category 1 incident requiring mandatory disclosure. A breached perimeter device gives attackers direct access to core banking systems, SWIFT infrastructure, and customer data, triggering obligations under the Kenya Data Protection Act 2019 and exposing institutions to regulatory penalties.

For government ministries and GovTech agencies in Kenya, Ethiopia, and Somalia, perimeter firewalls protect national databases, citizen registries, and classified communications. An out-of-bounds write exploit on a border firewall could serve as the entry point for a state-sponsored lateral movement campaign - a well-documented tactic used by threat groups actively targeting African government infrastructure.

For power utilities and energy operators across the region, including those managing SCADA and OT networks, a compromised PAN-OS device sitting at the IT/OT boundary is particularly dangerous. Attackers gaining access at the firewall level can pivot into operational technology environments with potentially catastrophic physical consequences.

Immediate Actions - Do These Now

  • Audit your PAN-OS versions immediately. Log into all Palo Alto appliances and confirm the exact PAN-OS version running. Cross-reference against Palo Alto Networks' official security advisory for CVE-2026-0300 to determine if you are on an affected version.
  • Apply the vendor patch without delay. Palo Alto Networks has issued a fix. Treat this as an emergency change - do not wait for the next scheduled maintenance window. CISA's KEV listing confirms active exploitation is already underway.
  • Review firewall management access logs now. Check for anomalous login attempts, unexpected configuration changes, or unusual outbound connections from your PAN-OS management interfaces. Attackers may already be present.
  • Restrict management plane access. If you have not already done so, ensure PAN-OS management interfaces are accessible only from dedicated, isolated management networks - not from the general internet or user VLANs.
  • Notify your SOC and escalate. This is a board-level risk event. CISOs should brief executive leadership and, where applicable, notify regulators per CBK, Bank of Ethiopia, or National Communications Authority incident reporting timelines.

DRONGO Recommendation

DRONGO's SOC team is actively monitoring for indicators of compromise linked to CVE-2026-0300 across our managed clients in Kenya, Somalia, and Ethiopia. If your organization runs Palo Alto infrastructure and lacks 24/7 monitoring coverage, you are operating blind during an active exploitation window. We can deploy emergency firewall health checks and rapid patch verification within 24 hours.

Is your organization protected? Request a free security assessment.