All news with #palo alto networks tag

⚠️A buffer overflow in the User-ID™ Authentication Portal (Captive Portal) of Palo Alto Networks PAN-OS permits an unauthenticated attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted packets. Siemens has identified affected Siemens RUGGEDCOM APE1808 devices and is preparing fixes while recommending immediate mitigations. Recommended actions include disabling Response Pages on exposed interfaces, disabling the User-ID Authentication Portal if not required, and restricting portal access to trusted internal IP addresses; contact vendor support for patch information.

🔍 Researchers at Palo Alto Networks' Unit 42 say the Gremlin stealer has progressed from a basic credential harvester into a modular, stealth-oriented toolkit. New builds embed payloads in the .NET resource section and apply XOR obfuscation to evade static and heuristic detection. The threat continues to exfiltrate data via private web panels and the Telegram Bot API, while adding Discord token theft, a clipboard-based crypto clipper, and WebSocket session hijacking.

🔐 This report analyzes a new Gremlin stealer variant that leverages advanced obfuscation, including a commercial packer with instruction virtualization and .NET resource XOR encoding, to conceal final-stage payloads. The malware harvests browser cookies, session tokens, clipboard contents and cryptocurrency wallet data, and has added modules for Discord token theft, WebSocket session hijacking and a clipboard crypto-clipper. The variant uses staged in-memory decryption and a numeric decoder routine to frustrate static analysis, and Palo Alto Networks recommends protective coverage via Cortex XDR, Advanced WildFire and network security controls, and contacting Unit 42 for incident response.

🔥 Palo Alto released fixes for CVE-2026-0300, a critical PAN-OS buffer-overflow exploited in the wild to drop payloads like EarthWorm and ReverseSocks5. The bulletin also highlights new and recurring threats including zero-auth API data leaks at an AI training vendor, an FCC extension for router updates, supply-chain contests, and sophisticated phishing campaigns. Several incidents employ weaponized attachments, tokenizer tampering in AI models, and open-source tools to achieve stealthy remote access and long-term persistence.

🔒 West Pharmaceutical Services disclosed a cyberattack detected on May 4, 2026, that resulted in data exfiltration and encryption of certain systems. The company took affected infrastructure offline globally for containment, notified law enforcement, and engaged external responders including Palo Alto Networks Unit 42. Core enterprise systems supporting shipping and manufacturing have been partially restored, but full recovery and the scope of stolen data remain under investigation.

🛡️ Palo Alto Networks is expanding its Frontier AI Alliance to scale delivery of autonomous, real-time defenses. Building on the Frontier AI Defense initiative and recent testing of frontier models (including Anthropic’s Mythos, Claude Opus 4.7, and OpenAI’s GPT-5.5-Cyber), the company has added a new cohort of strategic partners. By pairing Palo Alto Networks’ technology with partners’ consulting expertise, the program aims to deliver AI readiness at scale and machine-speed MTTR to customers.

🔒 Palo Alto Networks reports ongoing testing of frontier AI models, including Anthropic and OpenAI, finding they rapidly surface code vulnerabilities and potential exploit paths. In the May 'Patch Wednesday' advisories the majority of findings originated from these AI scans, prompting broad rescanning and remediation. The company warns of a narrow three-to-five-month window before AI-driven exploits spread and offers Unit 42 services to help organizations respond.

🔒 Palo Alto Networks has unveiled Idira, an identity security platform designed to protect human users, machine identities, and autonomous AI agents by applying dynamic privilege controls across all identity types. The platform leverages Palo Alto’s integration of CyberArk and continuously discovers and enriches identities across SaaS, cloud, and developer environments. Idira elevates privileges only when required and revokes them immediately, aiming to close blind spots left by legacy IAM and PAM systems. Analysts say it targets gaps in offerings such as Auth0 and SailPoint but does not eliminate the need for layered security.

🔐 Idira is Palo Alto Networks' next-generation identity security platform, unveiled at IMPACT following the company's integration with CyberArk. It discovers every human, machine and AI agent, inventories entitlements across network, cloud, endpoints and browsers, and evaluates whether access is necessary. Idira replaces standing accounts with dynamic, just-in-time privileges and automates continuous governance, shrinking the fragmentation that delays incident response. The platform embeds AI to surface risky entitlements and drive rapid remediation, while integrating with Strata, Cortex and Prisma to enforce controls where users and agents work.

⚡ This weekly recap highlights a string of active campaigns and exploited flaws affecting enterprise and cloud environments. Attackers weaponized vulnerabilities in Ivanti EPMM and Palo Alto PAN-OS, while a new modular Linux implant dubbed Quasar Linux (QLNX) pairs a kernel rootkit with a P2P mesh to resist takedowns. Several supply-chain compromises and credential-stealing campaigns are targeting cloud and developer tooling, and threat actors increasingly abuse legitimate RMM platforms for persistence.

⚠️ Palo Alto Networks has confirmed a critical zero-day in PAN-OS's Captive Portal (CVE-2026-0300) that allows unauthenticated remote code execution as root on exposed PA and VM series firewalls. Reporting indicates suspected state-sponsored actors exploited the flaw for nearly a month. Palo Alto plans updates beginning May 13; customers should restrict or disable the portal until patches are available.

🔒 Palo Alto Networks introduces Frontier AI Defense, a platform initiative designed to counter next-generation, agentic AI threats that can autonomously discover and chain software flaws. Their testing of frontier models (including GPT-5.5-Cyber, Mythos, and Claude Opus 4.7) revealed a step-change in coding capability and attack automation. The program combines Unit 42 expertise, early model access, platform integration, and partner alliances to enable prioritized mitigation and autonomous remediation at machine speed.

⚠️ Palo Alto Networks disclosed that threat actors attempted and later succeeded in exploiting a critical buffer overflow, CVE-2026-0300, in the PAN-OS User-ID Authentication Portal, enabling unauthenticated remote code execution as root. Unit 42 linked activity to a suspected state-sponsored cluster tracked as CL-STA-1132, noting shellcode was injected into an nginx worker. Customers are advised to restrict access to trusted zones or disable the portal if unused, and to apply fixes expected to begin rolling out on May 13, 2026.

🔒 Nutanix and Palo Alto Networks have integrated Prisma AIRS into the Nutanix Enterprise AI platform to embed automated AI model scanning and continuous red teaming directly into the MLOps pipeline. The integrated solution scans models at check-in, analyzes dependencies for known vulnerabilities and license issues, and validates provenance and file formats to block backdoors or unsafe execution paths before deployment. It also provides API-driven red teaming with a context-aware agent and a large, continuously updated attack library so teams can test resilience and prioritize business-relevant risks without complex setup.

🔒 Palo Alto Networks warned of a critical buffer overflow in PAN-OS affecting the User-ID Authentication Portal (CVE-2026-0300) that can allow unauthenticated attackers to execute code as root on exposed PA- and VM-Series firewalls. The vendor says only portals reachable from untrusted IPs are at risk; Prisma Access, Cloud NGFW and Panorama are not impacted. Customers are advised to restrict portal access, disable the Captive Portal if unused, disable Response Pages on untrusted interfaces, and apply mitigations until patched builds roll out in May.

🔴 Palo Alto Networks warns that suspected state‑sponsored actors have exploited a critical PAN‑OS zero‑day (CVE-2026-0300) in the User‑ID Authentication Portal, enabling unauthenticated remote code execution as root on exposed PA‑ and VM‑Series firewalls. Unit 42 says initial probing began April 9, with successful exploitation occurring about a week later; attackers cleaned logs and deployed tunneling tools. Palo Alto notes Cloud NGFW and Panorama are not affected and will issue patches starting May 13; administrators should restrict or disable the authentication portal until updates are applied.

🔒 Unit 42 details exploitation of a buffer overflow vulnerability (CVE-2026-0300) in the PAN-OS User-ID Authentication Portal that permits unauthenticated remote code execution as root on affected PA‑Series and VM‑Series firewalls. Observed adversary activity included shellcode injection into an nginx worker, rapid log and evidence cleanup, and deployment of tunneling tools such as EarthWorm and ReverseSocks5. Immediate mitigations are to restrict or disable the portal, apply vendor guidance, and enable available threat signatures and protections.

⏱️ Unit 42 data and a conversation with Wendi Whitmore warn that attackers can exfiltrate data in as little as 39 seconds, forcing a shift from prevention to rapid detection and containment. Whitmore argues manual workflows cannot match adversary tempo and calls for AI-driven detection paired with unified visibility across endpoints, cloud and AI systems. Visibility, not complexity, enables containment before escalation.

⚠️ CISA has added CVE-2026-0300, an Palo Alto Networks PAN-OS out-of-bounds write vulnerability, to the KEV Catalog after evidence of active exploitation. BOD 22-01 requires Federal Civilian Executive Branch agencies to remediate cataloged vulnerabilities by their due dates. Although the directive applies to FCEB agencies, CISA strongly urges all organizations to prioritize timely remediation as part of routine vulnerability management. CISA will continue to update the catalog when vulnerabilities meet its criteria.

🔴 Palo Alto Networks warns that a critical unpatched PAN-OS zero-day, CVE-2026-0300, is being actively exploited against the User-ID Authentication Portal (Captive Portal). The flaw is a buffer overflow that can allow unauthenticated attackers to execute arbitrary code as root on Internet-exposed PA-Series and VM-Series firewalls. Palo Alto classifies the bug at the highest severity and advises restricting or disabling the portal until a patch is available. Security telemetry from Shadowserver shows over 5,800 PAN-OS VM-series instances exposed online, increasing urgency for mitigations.