Critical PAN-OS Flaw Actively Exploited: East Africa Alert

Severity: CRITICAL | Actively Exploited in the Wild

Source: CISA Known Exploited Vulnerabilities (KEV) Catalog | Published: May 6, 2026 | CVE: CVE-2026-0300

The Threat

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2026-0300 to its Known Exploited Vulnerabilities (KEV) Catalog. This is not a theoretical risk. CISA's KEV listing means there is confirmed, active exploitation by real threat actors in the wild right now.

The vulnerability is an out-of-bounds write flaw in Palo Alto Networks PAN-OS, the operating system powering Palo Alto's widely deployed next-generation firewalls and VPN appliances. An out-of-bounds write flaw allows an attacker to write data beyond the allocated memory buffer, enabling arbitrary code execution, system crashes, or full device takeover, often without requiring authentication.

Palo Alto Networks firewalls are among the most commonly deployed perimeter security devices in East African banking, government, and telecommunications environments. If your organization runs PAN-OS and has not patched, your network perimeter may already be compromised.

Impact Assessment for East Africa

Financial Services (Kenya, Ethiopia, Somalia, Djibouti): Commercial banks, microfinance institutions, and payment processors that rely on PAN-OS firewalls as their primary perimeter defense face the highest exposure. A successful exploit could give attackers a foothold inside the network, bypassing all internal controls. This directly threatens SWIFT transaction integrity, mobile money back-end systems, and customer data protected under Kenya's Data Protection Act 2019 and the CBK Cybersecurity Guidelines.

Government and GovTech (Kenya, Ethiopia, Somalia): National ID systems, e-government portals, and revenue authority infrastructure that sit behind PAN-OS-protected perimeters are prime targets for nation-state actors. Exploitation could lead to data exfiltration, service disruption, or lateral movement into classified systems.

Power and Critical Infrastructure: Energy utilities and telecoms operators in the Horn of Africa increasingly use enterprise-grade next-generation firewalls to protect operational technology (OT) networks. An out-of-bounds write exploit on the firewall protecting a power grid SCADA environment is a worst-case scenario. CISA's own ICS advisories this week flagged parallel vulnerabilities in ABB and Hitachi Energy industrial systems, signaling that critical infrastructure is a coordinated target.

The regional risk is compounded by the fact that many East African organizations run on extended patch cycles due to limited IT staff, change-management constraints, or fear of downtime. Threat actors know this and actively scan for unpatched PAN-OS devices exposed to the internet.

Immediate Actions - Do These Now

• Identify all PAN-OS instances immediately. Audit every firewall and VPN appliance in your environment. Confirm exact PAN-OS version numbers across all sites, including branch offices in secondary cities and remote locations.
• Apply Palo Alto Networks' official patch without delay. Visit the Palo Alto Networks Security Advisories portal and apply the patch addressing CVE-2026-0300. If a patch window cannot be opened immediately, apply any available workaround or mitigation published by the vendor and isolate the affected device from external exposure.
• Review firewall management interface exposure. Ensure the PAN-OS management interface is NOT accessible from the public internet. Restrict management access to dedicated, authenticated, out-of-band management networks only.
• Hunt for indicators of compromise (IOCs) now. Do not assume you are clean just because you have not seen an alert. Review PAN-OS system logs, authentication logs, and network flow data for anomalous outbound connections or unexpected administrator sessions from the past 30 days.
• Escalate to your incident response team or external SOC. If you lack 24/7 monitoring capability, treat this as an active incident and engage external support. CISA's KEV listing means the window between discovery and exploitation is extremely short.

DRONGO Recommendation

DRONGO's Security Operations Center monitors KEV Catalog updates in real time and maps exposure across client environments across Kenya, Somalia, Ethiopia, and the wider Horn of Africa. If you are running Palo Alto PAN-OS infrastructure, our team can perform an emergency vulnerability assessment, validate your patch status, and review your firewall logs for signs of prior compromise within 24 hours.

Is your organization protected? Request a free security assessment.