Palo Alto Firewalls Are Being Hacked Right Now: What UK Small Businesses Need to Know
Palo Alto Networks has confirmed that CVE-2026-0300 is being actively exploited in the wild. The vulnerability sits in the User-ID Authentication Portal of PAN-OS, the operating system running on their firewall hardware. An unauthenticated attacker who can reach that portal can trigger a buffer overflow and execute arbitrary code with root privileges.
Root privileges. On your firewall. Without logging in.
The CVSS score is 9.3. There is no patch available as of 7 May 2026.
What the Vulnerability Actually Does
A buffer overflow occurs when an attacker sends more data to a system than it was designed to handle, causing the excess to spill into adjacent memory. When exploited correctly, this gives an attacker the ability to run their own code instead of the system’s intended code.
In this case, the target is PAN-OS’s authentication portal, specifically the component used to identify users on the network. The irony is precise: the mechanism designed to verify who you are is the mechanism being used to bypass all verification entirely.
Palo Alto Networks has described the exploitation as “limited” in scope, but they have not published specifics on how many organisations are affected or when the attacks began. “Limited exploitation” in vendor language means confirmed exploitation. The limitation, if any, is in the attacker’s current targeting choices, not in the technical capability of the exploit.
Why This Matters if You Are Not a Security Professional
Your firewall is the device that sits between your internal network and the internet. It decides what traffic is allowed in and what is blocked out. If an attacker takes root control of that device, the firewall does not protect you any more. It becomes their device, sitting inside your network, with a full view of everything passing through it.
For a small business, this translates directly. Customer data, payment systems, email, file servers, remote access connections: all of it flows through that device. An attacker with root control can intercept it, redirect it, or simply sit quietly and watch.
The interim mitigation Palo Alto Networks has published is to restrict access to the authentication portal so it is not reachable from the open internet. That is not a fix. It reduces the attack surface by limiting who can attempt to exploit the flaw, but it does not remove the vulnerability. If an attacker is already inside your network, or if your configuration leaves any external path to that portal open, the risk remains.
The Supply Chain Problem for Small Businesses
Most small businesses do not manage their own Palo Alto firewalls. Their managed service provider does. That MSP may be managing dozens or hundreds of PAN-OS devices across their client base.
This is where the supply chain risk concentrates. One misconfigured portal across one MSP’s estate is one exploitable entry point. The attacker does not need to target your business specifically. They target the MSP’s infrastructure and work inward from there.
If your MSP has not contacted you about CVE-2026-0300 in the last 24 hours, that is information. It tells you either that they have assessed your specific configuration and determined you are not exposed, or that they have not yet acted on this advisory. You need to know which one it is.
The question to ask is simple: is our authentication portal currently restricted from internet-facing access? A competent MSP should be able to answer that in under ten minutes. If the answer takes longer, or involves significant uncertainty, that is a separate conversation worth having.
A Second Issue Worth Noting: Apache Wicket Session Fixation
CVE-2026-40010 was published yesterday with a CVSS score of 9.1. It affects Apache Wicket, a Java web framework used in many business applications, particularly those built on older enterprise stacks.
The vulnerability is a session fixation flaw. In plain terms: an attacker can manipulate the session identifier assigned to a user before they log in, then reuse that identifier after authentication to access the user’s account. The user logs in normally. The attacker is already in.
Apache Wicket versions from 8.0.0 through 8.17.0, version 9.0.0, and versions 10.0.0 through 10.8.0 are all affected. The fix is version 10.9.0.
This one is more likely to affect you indirectly, through a supplier or software vendor whose application runs on Apache Wicket rather than through something you manage directly. If you use bespoke business software built by a third party, it is worth asking your supplier whether their stack includes Apache Wicket and whether they have applied the available patch.
How This Gives You an Edge
Being across active exploits before your competitors are is a genuine differentiator, particularly in sectors where clients are asking harder questions about supply chain security.
If you work with clients who handle sensitive data, being able to say that you actively monitor your MSP’s response to critical advisories, and that you verify mitigations rather than simply accepting assurances, positions you as the more careful choice. Most of your competitors are not having this conversation with their IT providers. You can be.
For businesses holding Cyber Essentials certification, the configuration control required to restrict authentication portal exposure to the internet is directly relevant to the boundary firewall control. Getting your MSP to document the restriction is not just good security practice; it is evidence of active compliance management rather than annual checkbox exercise.
Making the Case Internally
Three points for anyone who needs to take this upward:
Active exploitation with no patch is the highest-risk category. CVE-2026-0300 is not a theoretical risk or a researcher’s proof of concept. Palo Alto Networks has confirmed real-world exploitation. When vendors confirm this, it means their threat intelligence has observed it happening to real customers.
The firewall is the wrong place to have a gap. A business can tolerate a vulnerability in a peripheral application while a patch is being tested. A vulnerability in the device that controls all network traffic is categorically different. The potential blast radius is everything behind it.
MSP accountability is measurable right now. Whether your MSP has contacted you about this advisory in the past 24 hours is a concrete, auditable data point about the quality of their managed service. Use it accordingly when your contract renewal comes around.
What to Do Before Friday
-
Contact your MSP today. Ask specifically whether any Palo Alto PAN-OS devices in your environment have the User-ID Authentication Portal accessible from the internet. Request written confirmation of the current configuration status and the mitigation applied.
-
Monitor the Palo Alto advisory directly. The security advisory for CVE-2026-0300 is published on Palo Alto Networks’ security portal. When a patch becomes available, your MSP should be applying it within the timeframes specified in your service agreement. If your agreement does not specify patch response timeframes for critical vulnerabilities, that gap is worth addressing.
-
Ask your software suppliers about Apache Wicket. If you use any bespoke or older business applications, send a brief message asking whether Apache Wicket is part of the technology stack and whether CVE-2026-40010 has been assessed. The question itself signals that you are paying attention.
-
Document the responses you receive. If you need to demonstrate due diligence to a client, an insurer, or an auditor, a record of having asked these questions and received substantive answers is worth keeping.
-
Review your MSP’s incident notification process. If you had not heard about CVE-2026-0300 before reading this, your MSP’s proactive communication process is not working as it should. The time to clarify what you should expect to be told, and when, is before the next critical advisory drops.
| Source | Article |
|---|---|
| Palo Alto Networks | CVE-2026-0300 Security Advisory |
| The Cyber Express | PAN-OS Flaw CVE-2026-0300 Exposes Firewalls to Remote Code Execution |
| TheCyberThrone | CVE-2026-0300: Critical PAN-OS Buffer Overflow Bug |
| NIST NVD | CVE-2026-40010: Apache Wicket Session Fixation Vulnerability |
| Apache Software Foundation | Apache Wicket Security Update: Upgrade to 10.9.0 |
| Security.NL | Firewalls Palo Alto Networks gehackt via nieuw kritiek beveiligingslek |