The cybersecurity firm has not explicitly accused China of being behind the attack, but the evidence suggests it was.
The post Palo Alto Zero-Day Exploited in Campaign Bearing Hallmarks of Chinese State Hacking appeared first on SecurityWeek.
Attackers are actively exploiting a zero-day vulnerability affecting some Palo Alto Networks’ customers’ firewalls, the security vendor said in an advisory Tuesday.
The critical memory corruption vulnerability — CVE-2026-0300 — affects the authentication portal of PAN-OS, and allows unauthenticated attackers to run code with root privileges on the vendor’s PA-Series and VM-Series firewalls, the company said.
Palo Alto Networks did not say when or how it became aware of active exploitation, nor when the earliest known exploitation occurred. The Cybersecurity and Infrastructure Security Agency added the defect to its known exploited vulnerabilities catalog Wednesday.
The company hasn’t released a patch for the vulnerability or described the scope and objective of confirmed attacks.
“This vulnerability is specific to a limited number of customers with their User-ID Authentication Portal (Captive Portal) exposed to the public internet or untrusted IP addresses. We have observed limited exploitation of this issue and are working to release software fixes, with the first updates expected to be available on May 13,” a Palo Alto Networks spokesperson told CyberScoop.
The company said firewalls exposed to the buffer-overflow vulnerability, which has a CVSS rating of 9.3, are broadly exposed in real-world deployments, and it described the attack complexity as low.
Shadowserver scans found more than 5,800 publicly exposed VM-Series firewalls running PAN-OS as of Tuesday, yet it’s unknown how many of those instances have restricted authentication access to trusted internal IP addresses or disabled the feature altogether.
“We have provided clear mitigation guidance to our customers to secure their environments immediately. This issue does not impact Cloud NGFW or Panorama appliances. We remain committed to a transparent, security-first approach to protect our global customer base,” Palo Alto Networks’ spokesperson added.
Benjamin Harris, CEO and founder of watchTowr, noted that Palo Alto Networks proactively alerted customers to the zero-day, a step that allowed defenders to take action on potentially exposed instances.
“In a bad situation, that is the best they can do immediately. However, that also alerts everyone to the existence of a vulnerability,” he told CyberScoop.
Despite the risk, Harris said watchTowr expects attacks linked to the zero-day exploit to be “very limited.”
Palo Alto Networks and its impacted customers remain the only parties to have observed exploitation in the wild, but researchers warn that will likely change soon.
“It’s likely rules will also start to fire in third-party organizations and honeypots shortly,” Caitlin Condon, vice president of security research at VulnCheck, told CyberScoop.
“Management interfaces, login pages, and authentication portals have been common adversary targets for both opportunistic and targeted campaigns in recent years,” she added. “With researcher and community eyes on the vulnerability, it’s likely that we’ll see public exploits and broader exploitation quickly, provided the issue isn’t prohibitively difficult to exploit.”
Palo Alto Networks has yet to attribute the attacks to any known threat group, publish indicators or compromise, nor disclose the type of organizations that have been targeted and impacted.
Researchers are hunting for malicious activity and advise customers to apply patches upon release.
The post A critical Palo Alto PAN-OS zero-day is being exploited in the wild appeared first on CyberScoop.
CVE-2026-0300 affects the Captive Portal service of PAN-OS software on PA and VM series firewalls.
The post Palo Alto Networks to Patch Zero-Day Exploited to Hack Firewalls appeared first on SecurityWeek.
The bugs could be exploited to bypass security controls, access restricted services, and crash firewalls.
The post SonicWall Urges Immediate Patching of Firewall Vulnerabilities appeared first on SecurityWeek.
Attackers rarely exploit an edge-device vulnerability indiscriminately. Typically, they first test how widely the flaw can be used and how much access it can provide, then move on to steal data or disrupt operations.
Pre-attack surveillance and planning leaves a lot of noise in its wake. These signals — particularly spikes in traffic that are hitting specific vendors — can act as an early-warning system, often preceding public vulnerability disclosures, according to research GreyNoise shared exclusively with CyberScoop prior to its release.
Roughly half of every activity surge GreyNoise detected during a 103-day study last winter was followed by a vulnerability disclosure from the same targeted vendor within three weeks, GreyNoise said in its report.
Researchers determined that the median warning of an impending vulnerability disclosure arrived nine days before the targeted vendor issued a public alert to its customers.
“Virtually every time we see large scale spikes in reconnaissance and inventory activity looking for a certain device, it’s because somebody knows about a vulnerability,” Andrew Morris, founder and chief architect at GreyNoise, told CyberScoop.
“Within a few days or weeks — usually within the responsible disclosure timeline — a new very bad vulnerability comes out,” he added.
GreyNoise insists that every day of advance notice matters, giving defenders an opportunity to defend against and thwart potential attacks before they occur.
The real-time network edge scanning platform spotted 104 distinct activity surges across 18 vendors during its study period. These embedded systems, including routers, VPNs, firewalls and other security systems, consistently account for the most commonly exploited vulnerabilities.
“Attackers love hacking security devices like security appliances. The irony of that is just not lost on me at all,” Morris said.
“It hasn’t gotten bad enough for us to start taking the security of these devices seriously,” he added. “It’s not bad enough for us to take it seriously enough to start ripping these things out and replacing them with new devices or new vendors.”
GreyNoise linked traffic surges to a swarm of vulnerabilities disclosed by vendors across the market, including Cisco, Palo Alto Networks, Fortinet, Ivanti, HPE, MicroTik, TP-Link, VMware, Juniper, F5, Netgear and others.
“It’s becoming scientifically empirical, and it’s becoming more like meteorology than mysticism,” Morris said. “This is like clockwork now.”
GreyNoise breaks these traffic surges down to measure intensity and breadth. Session counts indicate how hard existing sources are hammering a specific vendor and unique source IP counts demonstrate how widely new infrastructure is joining the activity, researchers wrote in the report.
“When both the intensity and breadth of targeting increase simultaneously, it signals a coordinated escalation,” the report said.
“When you see a session spike against one of your vendors and new source IPs joining at the same time, treat it as a high-confidence reason to look harder. When you see only an IP spike, do not assume a vulnerability is coming,” researchers added.
The study bolsters other research from Verizon, Google Threat Intelligence Group and Mandiant — landing during what GreyNoise calls “the most aggressive period of edge device exploitation on record.”
This activity doesn’t happen in a vacuum and threat groups aren’t flooding edge devices with traffic for free or for fun, according to Morris.
“People tend to treat internet background noise like it’s this unexplainable phenomenon,” he said. “They’re clearly trying to test the existence of a vulnerability in order to compromise the systems.”
The post Network ‘background noise’ may predict the next big edge-device vulnerability appeared first on CyberScoop.
Cisco customers have confronted a flood of actively exploited vulnerabilities affecting the vendor’s network edge software since late February, and researchers say that five of the nine vulnerabilities Cisco disclosed in its firewalls and SD-WAN systems over the past three weeks have already been exploited in the wild.
Attackers exploited a pair of these defects — zero-day vulnerabilities in Cisco SD-WANs — for at least three years before the vendor and authorities discovered and issued warnings about the threat. Cisco disclosed an additional five SD-WAN vulnerabilities that same day, and three of those defects have since been confirmed actively exploited as well.
Weaknesses lurking in Cisco security products don’t end there. Amazon Threat Intelligence on Wednesday said one of the two max-severity defects Cisco reported in its firewall management software earlier this month has been actively exploited by Interlock ransomware since Jan. 26, more than a month before those vulnerabilities were publicly disclosed.
Some organizations, officials and members of the security community at large have missed widening risks as more of the defects come under attack. The flurry of Cisco SD-WAN and firewall vulnerabilities includes defects with low CVSS ratings, zero-days and others that were determined actively exploited after disclosure.
“These are not random bugs in low-value software. These are management-plane and control-plane weaknesses in devices at the network edge, which often function as trust anchors in enterprise environments,” Douglas McKee, director of vulnerability intelligence at Rapid7, told CyberScoop.
“If you compromise SD-WAN or firewall management, you’re landing on policy, visibility, routing, segmentation, and, in many cases, administrative trust over a large swath of the environment,” he added. “Attackers know that and, when they find a pre-auth path into those systems, especially one that can be chained to root, that’s about as attractive as it gets.”
The full slate of recently disclosed Cisco vulnerabilities affecting these systems include:
Researchers from multiple firms and Cisco have observed or been notified of active exploitation of CVE-2026-20127, CVE-2022-20775, CVE-2026-20122, CVE-2026-20128 and CVE-2026-20131.
The Cybersecurity and Infrastructure Security Agency has only added two of the defects — CVE-2022-20775 and CVE-2026-20127 — to its known exploited vulnerabilities catalog thus far. The agency, which last week added new hunting and reporting requirements to an emergency directive it issued for the defects in late February, did not answer questions about the updated order or explain why other actively exploited Cisco vulnerabilities haven’t been added to the catalog. The agency has been operating under a funding shutdown since February.
The ongoing ransomware campaign Amazon Threat Intelligence spotted involving CVE-2026-20131 confirmed “Interlock had a zero-day in their hands, giving them a week’s head start to compromise organizations before defenders even knew to look,” researchers said Wednesday.
Interlock’s observed attack path and operations are extensive, including post-compromise reconnaissance scripts, custom remote access trojans, a webshell and legitimate tool abuse. Amazon did not identify specific victims, and said the group threatens organizations with data encryption, regulatory fines and compliance valuations.
“Interlock has historically targeted specific sectors where operational disruption creates maximum pressure for payment,” Amazon Threat Intelligence researchers said in the blog post. These sectors include education, engineering, architecture, construction, manufacturing, industrial, health care and government entities.
The swarm of vulnerabilities in Cisco SD-WANs poses additional risk for customers. Cisco Talos previously attributed long-running attacks involving CVE-2026-20127 and CVE-2022-20775 to UAT-8616, but it’s unclear if the same threat group is responsible for all of the Cisco SD-WAN exploits.
“Other threat groups are likely to pick up public research in order to weaponize or adapt it opportunistically, so we may see follow-on attempts by additional threat actors, including low-skilled attackers,” Caitlin Condon, vice president of security research at VulnCheck, told CyberScoop.
Researchers said vulnerabilities are often disclosed in clusters after a meaningful defect is identified in a specific product, such as Cisco’s SD-WAN systems.
Cisco declined to answer questions and said customers can find the latest information on its security advisories page.
Condon and McKee both noted that Cisco has been responsive in releasing software fixes, threat-hunting intelligence and, in the case of the SD-WAN zero-days, coordinated government guidance.
“This is what a good crisis response is supposed to look like once exploitation is identified,” McKee said.
“The harder question is whether the industry is getting early-enough visibility into the defects in edge-management software that sophisticated actors are clearly prioritizing,” he added. “Are our organizations equipped with the right people and tools to perform this level of exposure management?”
The expanding exploits Cisco customers are combating on firewalls and SD-WANs is a reminder that organizations shouldn’t deprioritize less notorious vulnerabilities or those with lower CVSS scores, Condon said.
“Several of the exploited vulnerabilities in this tranche of Cisco SD-WAN bugs don’t have critical CVSS scores, meaning teams using CVSS as a prioritization mechanism might miss medium- or high-scored flaws that still have real-world adversary utility,” she added.
The attacks also collectively reflect a persistent pattern of attackers targeting network edge systems from multiple vendors, including Cisco.
“Attackers continue to treat network edge and management infrastructure as prime real estate, and when defenders see pre-authentication, management-plane flaws with evidence of pre-disclosure exploitation, they need to assume compromise, not just exposure,” McKee said.
“Attackers are investing time and capability into finding and operationalizing previously unknown defects in Cisco edge and management infrastructure because the payoff is enormous,” he added. “These platforms give you a privileged position, broad visibility, and a path to durable access inside high-value organizations. That’s exactly why they keep getting hit.”
The post Cisco’s latest vulnerability spree has a more troubling pattern underneath appeared first on CyberScoop.
Cisco released information on a pair of max-severity vulnerabilities in its firewall management software Wednesday that unauthenticated, remote attackers could exploit to obtain the highest level of access to the underlying operating system or on affected devices.
The vulnerabilities — CVE-2026-20079 and CVE-2026-20131 — affect the web-based interface of Cisco Secure Firewall Management Center (FMC) Software, regardless of device configuration, the vendor said.
Cisco disclosed the critical vulnerabilities one week after it warned that attackers have been exploiting a pair of zero-days in Cisco’s network edge software for at least three years. That campaign, which is ongoing, marked the second series of multiple actively exploited zero-days in Cisco edge technology since last spring.
Both campaigns prompted the Cybersecurity and Infrastructure Security Agency to issue emergency directives months after the attacks were first detected, and both attack sprees were underway for at least a year before they were discovered.
Cisco said the new vulnerabilities were disclosed and patched as part of its biannual update, which contained 48 vulnerabilities across multiple security products.
“At the time of publication, Cisco PSIRT (public security incident response team) is not aware of any malicious use of these vulnerabilities,” a company spokesperson told CyberScoop.
“We strongly urge customers to upgrade to available fixed software releases that address these vulnerabilities,” the spokesperson added.
One of the vulnerabilities in Cisco Secure FMC Software — CVE-2026-20079 — allows attackers to bypass authentication and execute script files on an affected device to obtain root access to the operating system.
“This vulnerability is due to an improper system process that is created at boot time,” Cisco said in a security advisory.
Cisco said the second critical defect — CVE-2026-20131 — is a deserialization flaw that allows attackers to achieve remote code execution.
“An attacker could exploit this vulnerability by sending a crafted serialized Java object to the web-based management interface of an affected device,” the vendor said in a security advisory. “A successful exploit could allow the attacker to execute arbitrary code on the device and elevate privileges to root.”
Cisco describes the affected product as the “administrative nerve center” for firewall management, application control, intrusion prevention, URL filtering and malware protection.
There are no workarounds for either vulnerability. Cisco did not say how the vulnerabilities might be related, if they can be chained together for exploitation, nor when and under what circumstances it became aware of the defects.
The post Cisco reveals 2 max-severity defects in firewall management software appeared first on CyberScoop.
Impact statement: As early as 19:46 UTC on 2 February 2026, we became aware of an issue causing customers to receive error notifications when performing service management operations - such as create, delete, update, scaling, start, stop - for Virtual Machines (VMs) affecting multiple regions. These issues are also impacting services with dependencies on these service management operations - including Azure Arc Enabled Servers, Azure Batch, Azure Cache for Redis, Azure Container Apps, Azure DevOps (ADO), Azure Kubernetes Service (AKS), Azure Backup, Azure Load Testing, Azure Firewall, Azure Search, Azure Virtual Machine Scale Sets (VMSS), GitHub (see https://www.githubstatus.com)..
Current status: We determined that these issues were caused by a recent configuration change that affected public access to certain Microsoft‑managed storage accounts, used to host extension packages. We have applied our mitigation across all impacted regions and have performed validation checks to ensure that all affected resources have had their configurations updated. At this stage, customers should see signs of recovery across regions. We are currently monitoring downstream services for any further impact. Our next update will be provided by 08:00 UTC, approximately 2 hours from now, or sooner if we have progress to share.
Fortinet customers are confronting another actively exploited zero-day vulnerability that allows attackers to bypass authentication in the single sign-on flow for FortiCloud and gain privileged access to multiple Fortinet firewall products and related services.
The vendor issued a security advisory for the vulnerability — CVE-2026-24858 — warning that some instances of exploitation already occurred earlier this month. Fortinet has yet to release patches to address the critical vulnerability across multiple versions of its products, including FortiAnalyzer, FortiManager, FortiOS, FortiProxy and FortiWeb.
Defects in Fortinet products are a recurring problem for the vendor’s customers and defenders, making 24 appearances on the Cybersecurity and Infrastructure Security Agency’s known exploited vulnerabilities catalog since late 2021. One-third of those vulnerabilities made the list last year and 13 are known to be used in ransomware campaigns.
The agency added the latest Fortinet defect, which has a CVSS rating of 9.8, to its known exploited vulnerabilities catalog Tuesday and shared Fortinet’s guidance in a subsequent alert Wednesday.
The vulnerability, which allows attackers with a FortiCloud account and a registered device to log into devices registered to other accounts, was exploited by two malicious FortiCloud accounts that Fortinet said it blocked Jan. 22. Attackers have reconfigured firewall settings on FortiGate devices, created unauthorized accounts and changed virtual private network configurations to gain access to new accounts.
The vendor said it disabled FortiCloud SSO Monday and re-enabled the service Tuesday with controls in place to prevent logins to devices running vulnerable software versions.
Fortinet’s advisory brings some clarity and raises new questions for defenders and researchers that have encountered problems on Fortinet devices since December. The vendor disclosed a pair of similar critical authentication bypass vulnerabilities Dec. 9, including CVE-2025-59718, which has also been actively exploited.
Arctic Wolf said it observed a new cluster of unauthorized firewall configuration changes on FortiGate devices Jan. 15 that bore similarities to previous attacks linked to CVE-2025-59718 in December. Fortinet hasn’t explained the extent to which the defects are related or if the new flaw represents a bypass of the previous patches, but it has confirmed that customers running versions released in December are vulnerable to CVE-2026-24858.
Fortinet did not respond to a request for comment. Carl Windsor, the company’s chief information security officer, shared recommended mitigation steps and indicators of compromise in a blog post.
Researchers have yet to determine how many customers are impacted by CVE-2026-24858 exploits, but the scope of potential victims is broad and global. Shadowserver scans show nearly 10,000 Fortinet instances with FortiCloud SSO enabled with roughly one-fourth of those based in the United States.
Ben Harris, founder and CEO at watchTowr, said the company’s exposure management platform is observing active probing for devices with FortiCloud SSO enabled, but the broader impact is still unknown.
“There are those that know they’re affected, and likely a number that are unaware,” he told CyberScoop. “Regardless, those that keep a bingo card for ‘yet another year of depressingly predictable vulnerabilities’ have likely crossed off ‘full authentication bypass against a management interface’ already in 2026.”
Arctic Wolf researchers said they haven’t seen evidence of new exploitation since Jan. 21, adding that attacks appear to be limited to instances where management interfaces of vulnerable devices were publicly exposed to the internet.
Vulnerabilities in network devices from multiple vendors have been exploited for initial access at a high rate, especially in ransomware attacks, researchers at Arctic Wolf said. “While it is vitally important to keep up to date on firmware updates, security best practices should be followed to limit the potential impact of this vulnerability and similar flaws in the future.”
While defenders have grown accustomed to a steady amount of Fortinet vulnerabilities, that experience has fueled a mounting sense of frustration.
Joe Toomey, vice president of underwriting security at Coalition took to LinkedIn Wednesday to criticize Fortinet’s inability to thwart or reduce the number of actively exploited vulnerabilities affecting its products.
Fortinet’s latest defect marks the 14th time Coalition has sent zero-day advisories about critical Fortinet vulnerabilities to its policyholders in less than four years. Fortinet products account for more than 7% of the collective 180 zero-day advisories Coalition sent to policyholders since 2023, Toomey said in his blog post.
“All of which makes one begin to wonder if Fortinet is really taking security seriously,” he added.
Harris commended Fortinet for its transparency, adding that the vendor has clearly outlined its response and actions taken to address the vulnerability, some of which remains unfinished.
Yet, he added: “As we’ve seen now for years, Fortinet and the ‘Fast & Furious’ franchise are apparently competing for the amount of sagas we can fit into one year. It’s unclear who will win.”
The post Fortinet’s latest zero-day vulnerability carries frustrating familiarities for customers appeared first on CyberScoop.
Federal authorities and researchers alerted organizations Friday to a massively exploited vulnerability in Fortinet’s web application firewall.
While the actively exploited critical defect poses significant risk to Fortinet’s customers, researchers are particularly agitated about the vendor’s delayed communications and, ultimately, post-exploitation warnings about the vulnerability.
Fortinet addressed CVE-2025-64446 in a software update pushed Oct. 28, but did not assign the flaw a CVE or publicly disclose its existence until last week — 17 days later — when the company also confirmed the vulnerability has been exploited in the wild.
By then, for some Fortinet customers, especially those that hadn’t updated to FortiWeb 8.0.2, it was too late. The path-traversal defect in FortiWeb, which has a CVSS rating of 9.8, allows attackers to execute administrative commands resulting in a complete takeover of the compromised device.
Threat researchers from multiple firms, computer emergency response teams and the Cybersecurity and Infrastructure Security Agency issued warnings, with some including details about extensive attacks linked to the defect Friday. CISA also issued an alert and added the flaw to its known exploited vulnerability catalog Friday, requiring federal agencies to address the vulnerability within a short deadline of seven days.
A Fortinet spokesperson said the vendor’s product security incident response team began addressing the vulnerability as soon as it learned of the defect, and those efforts remain underway. “Fortinet diligently balances our commitment to the security of our customers and our culture of responsible transparency,” the spokesperson said in a statement.
“With that goal and principle top of mind, we are communicating directly with affected customers to advise on any necessary recommended actions,” the spokesperson added.
Threat researchers at Defused first spotted the vulnerability and published a proof-of-concept exploit they detected Oct. 6. Researchers at watchTowr published technical analysis of the exploit and released a tool to help organizations hunt for potentially vulnerable hosts in their environments.
“Attacks have been widespread and indiscriminate according to shared evidence since at least early October — long before the industry was able to pull the fire alarm, and arguably exacerbated by the silence from Fortinet,” Ben Harris, founder and CEO at watchTowr, told CyberScoop.
Researchers haven’t identified or named victims yet, but attackers are exploiting the vulnerability to add new administrative accounts, likely achieving persistent privileged access on compromised devices. Threat hunters have not attributed the attacks to any cybercrime outfit, place of origin or motivation.
“Fortinet’s silent patching of the vulnerability — intentional or not — likely led many users not to apply the patch that actually fixed the vulnerability,” Harris said. “FortiWeb customers weren’t told about the critical, immediate risk of not applying these patches. Had they known, they would have likely updated right away. Now, anyone who didn’t patch is likely compromised.”
The vulnerability falls under a gray area of definition — a less-important detail but one that underscores the difficulties third-party researchers confronted in mounting a proper and informed response.
“Unless Fortinet is now fixing vulnerabilities by accident, by definition, it isn’t a zero-day, it’s a silently patched vulnerability and thus an n-day,” Harris said.
Yet, from a defender’s perspective this vulnerability functionally behaved as a zero-day, said Ryan Emmons, security researcher at Rapid7. “It was being exploited before customers had any formal awareness, guidance or patch information.”
Fortinet’s release notes for FortiWeb 8.0.2 don’t include any reference to specific vulnerabilities.
“The challenge is that the security community builds its understanding through shared signals like public advisories, CVE assignments, behavioral descriptions, and clear remediation instructions. When those signals arrive late or in fragments, it slows the ability of researchers, vendors, and defenders to triangulate what’s actually happening,” Emmons said.
“Attackers often have first-mover advantage, and defenders rely heavily on vendor transparency and cooperative industry coordination,” Emmons added. “When a vendor has knowledge of product flaws and a patch is published, it’s imperative that defenders are given a heads-up notice with as much actionable information as possible. Obscurity hurts defenders more than it impedes attackers.”
Researchers resoundingly criticized Fortinet for delaying its public disclosure of the vulnerability and a lack of urgency until active exploitation was already underway.
Fortinet’s belated CVE assignment compounded problems for defenders. “In the dark, information is scarce and delays are inherent, as defenders burn cycles trying to figure out what’s even going on,” Emmons said. “This gives attackers a much stronger position.”
Security teams are already inundated with vulnerability patches. It’s not only unfeasible for them to address every defect and software update immediately, there’s also an operational impact risk to measure. Patches can break critical processes and integrations.
“Many organizations, following standard change-control processes, understandably delayed patching. Meanwhile, it’s possible that Fortinet itself was unaware of the full severity of the issue and silently patched a flaw without realizing the risk it posed,” Harris said. “This combination left defenders at a disadvantage from the start.”
The post Fortinet’s delayed alert on actively exploited defect put defenders at a disadvantage appeared first on CyberScoop.
Kent Ickler & Jordan Drysdale // BHIS Webcast and Podcast This post accompanies BHIS’s webcast recorded on August 7, 2018, Active Directory Best Practices to Frustrate Attackers, which you can view below. […]
The post Active Directory Best Practices to Frustrate Attackers: Webcast & Write-up appeared first on Black Hills Information Security, Inc..
Login