Palo Alto Networks Warns of Actively Exploited High-Severity PAN-OS Vulnerability
Palo Alto Networks has issued an urgent warning that a high-severity vulnerability in its PAN-OS firewall operating system is being actively exploited in the wild, with hotfixes now available.
Palo Alto Networks has confirmed that a high-severity vulnerability in its PAN-OS software is under active exploitation, prompting the vendor to release emergency hotfixes and urge customers to apply them immediately. The flaw, which has not yet been assigned a CVE identifier in the public advisory, impacts multiple versions of the firewall operating system that underpins the company's next-generation firewalls. Palo Alto did not disclose the attack vector or attribute the exploitation to any specific threat actor, but the confirmation of in-the-wild activity raises the urgency for organizations running affected PAN-OS deployments.
The vulnerability affects several PAN-OS versions, though Palo Alto has not yet published a full list of impacted releases. The company has released hotfixes for the affected branches and is recommending that customers upgrade to patched versions as soon as possible. Given the active exploitation status, the vendor has also provided workarounds for those unable to immediately apply the hotfix, including configuration changes that can mitigate the risk until a full patch is deployed.
While technical details remain scarce, the advisory notes that the flaw can be exploited remotely, though it does not specify whether authentication is required. Security researchers are closely monitoring the situation, as the lack of a CVE ID and limited public information may slow defensive efforts. Palo Alto Networks has a history of high-severity PAN-OS vulnerabilities, including the critical CVE-2024-0012 and CVE-2024-0013 authentication bypass bugs that were exploited in early 2025, and the infamous CVE-2024-3400 command injection flaw that saw widespread exploitation in 2024.
The active exploitation of this latest PAN-OS bug comes at a time when firewall vulnerabilities are increasingly targeted by both ransomware groups and state-sponsored actors. Firewalls serve as critical network chokepoints, and a compromise can give attackers persistent access to internal networks, often bypassing other security controls. Palo Alto Networks' global customer base includes large enterprises, government agencies, and service providers, making any PAN-OS vulnerability a high-priority concern for the cybersecurity community.
CISA has not yet added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, but given the active exploitation confirmation, inclusion is likely imminent. Organizations running Palo Alto firewalls should immediately check their PAN-OS version against the advisory and apply the hotfix or implement the recommended mitigations. The vendor has also advised customers to review their firewall logs for signs of compromise and to report any suspicious activity to Palo Alto's security response team.
This incident underscores the ongoing challenge of securing perimeter devices against zero-day and n-day exploitation. As threat actors continue to weaponize vulnerabilities within hours or days of disclosure, the window for patching critical infrastructure continues to shrink. For now, Palo Alto customers have a clear directive: patch now, or risk being the next victim of an active exploitation campaign.