Critical PAN-OS Flaw Now Actively Exploited: East Africa Alert

Severity: CRITICAL | CVE-2026-0300 | CVSS 9.3

Source: CISA Known Exploited Vulnerabilities (KEV) Catalog | Published: May 6, 2026 | Affected Product: Palo Alto Networks PAN-OS

The Threat

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2026-0300 to its Known Exploited Vulnerabilities (KEV) Catalog, confirming that this flaw is being actively weaponized in the wild. The vulnerability is an out-of-bounds write (buffer overflow) in Palo Alto Networks PAN-OS, the operating system that powers Palo Alto's widely deployed next-generation firewalls and VPN appliances.

With a CVSS score of 9.3 (Critical), the flaw resides in the User-ID Authentication component of PAN-OS. Threat actors exploiting this vulnerability can achieve remote code execution (RCE) and gain root-level access to affected devices, effectively handing an attacker full control of an organization's network perimeter. Evidence of exploitation attempts dates back to as early as April 9, 2026, meaning attackers have had weeks of operational runway.

Palo Alto Networks firewalls are among the most widely deployed enterprise perimeter security devices across East Africa, used by government ministries, commercial banks, telecoms, and energy utilities from Nairobi to Mogadishu to Addis Ababa. This is not a theoretical risk - it is an active, confirmed attack campaign.

Impact Assessment for East African Organizations

Banking and Financial Services (Kenya, Ethiopia, Somalia): Banks and microfinance institutions using PAN-OS-based firewalls as their primary perimeter defense are directly exposed. A successful exploit grants attackers root access, enabling lateral movement into core banking systems, SWIFT interfaces, and customer data repositories. Under Kenya's Data Protection Act (2019) and Central Bank of Kenya (CBK) cybersecurity guidelines, a breach resulting from an unpatched known vulnerability carries regulatory, financial, and reputational consequences.

Government and GovTech (Kenya, Ethiopia, Djibouti, Somalia): National ID systems, revenue authorities, immigration databases, and e-government platforms that sit behind Palo Alto perimeter devices are high-value espionage targets. Nation-state actors and ransomware groups routinely exploit firewall vulnerabilities as their first point of entry. A compromised government gateway could expose citizen data or disrupt critical public services.

Power and Energy (East Africa Regional Grids): Operational technology (OT) and SCADA environments in the energy sector - including power utilities in Kenya, Uganda, and Ethiopia - frequently use enterprise-grade firewalls as the IT/OT boundary. Root access to a PAN-OS device at this boundary could allow an attacker to pivot directly into industrial control systems, with potential for physical disruption.

Telecoms (Horn of Africa): Telecom operators managing national backbone infrastructure face the added risk of traffic interception and subscriber data compromise if an attacker achieves root access on perimeter devices.

Immediate Actions - Do This Now

• Inventory all PAN-OS deployments immediately. Identify every Palo Alto Networks firewall, Panorama management console, and GlobalProtect gateway in your environment. This includes cloud-hosted and managed instances.
• Apply Palo Alto Networks' official patches without delay. Check the Palo Alto Networks Security Advisories portal for the specific patched PAN-OS versions addressing CVE-2026-0300 and begin emergency change management to deploy them. CISA's KEV listing means there is no grace period.
• Review firewall and VPN access logs for suspicious activity dating back to April 9, 2026. Look for anomalous authentication events, unexpected outbound connections, new admin accounts, or configuration changes that were not authorized. Assume potential compromise if logs are incomplete.
• Restrict management interface access immediately. If patching cannot be completed within 24 hours, limit access to the PAN-OS management interface to trusted IP ranges only, and disable User-ID Authentication exposure to untrusted networks as a temporary mitigation.
• Escalate to your CISO and legal/compliance team now. Under the CBK Cyber Security Framework and equivalent regulations in Ethiopia and the East African Community, organizations are required to report incidents involving critical infrastructure within defined windows. Document your response timeline from this moment.

DRONGO Recommendation

DRONGO's Security Operations Center (SOC) is actively monitoring for CVE-2026-0300 exploit indicators across client environments in East Africa. If your organization runs PAN-OS infrastructure and does not have continuous threat monitoring in place, your exposure window is open right now. We recommend an emergency vulnerability assessment and log review as an immediate first step - before your next board meeting, not after.

Is your organization protected? Request a free security assessment.