Severity: CRITICAL | Source: CISA KEV Catalog | CVE-2026-0300

The Threat

On May 6, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-0300 to its Known Exploited Vulnerabilities (KEV) Catalog, confirming that this flaw is being actively exploited in the wild. The vulnerability is an out-of-bounds write flaw in Palo Alto Networks PAN-OS, the operating system powering Palo Alto's widely deployed next-generation firewalls and network security appliances.

An out-of-bounds write vulnerability allows an attacker to write data beyond the intended memory boundary of a program. In a firewall operating system, this translates directly to remote code execution, system crash, or full device takeover - without requiring legitimate credentials. CISA's inclusion in the KEV Catalog is not a theoretical warning. It means threat actors are using this exploit right now, against real targets.

Palo Alto Networks PAN-OS is deployed across enterprise networks, government data centers, financial institutions, and critical infrastructure providers globally - including across East Africa and the Horn of Africa region.

Impact Assessment for East African Organizations

Palo Alto firewalls are a common perimeter security choice for Kenyan banks, government ministries, telcos, and energy utilities - precisely because they are considered enterprise-grade. That same widespread adoption now creates concentrated risk. An exploited PAN-OS device does not just expose the firewall itself. It exposes everything behind it.

For financial institutions operating under Central Bank of Kenya (CBK) cybersecurity guidelines or Bank of Somalia directives, a perimeter firewall compromise is a reportable breach event. It can expose customer data, core banking API traffic, and inter-bank transaction flows. The reputational and regulatory consequences are severe.

For government agencies in Kenya, Ethiopia, Somalia, and Djibouti managing citizen data, immigration systems, or revenue authority platforms, a compromised perimeter device gives attackers persistent access deep into internal networks. Lateral movement from a PAN-OS device to a domain controller or database server is a well-documented post-exploitation path.

For power utilities and critical infrastructure operators in the region, the stakes are even higher. Operational technology (OT) networks often rely on perimeter firewalls as their primary isolation layer. A breach here can have physical consequences beyond data loss.

Immediate Actions - Do These Now

  • Audit your PAN-OS version immediately. Log in to your Palo Alto management console and confirm the exact PAN-OS version running on every firewall and Panorama instance. Compare against Palo Alto's official security advisory for CVE-2026-0300 to determine if you are running an affected version.
  • Apply the vendor patch without delay. Palo Alto Networks has released fixes for this vulnerability. Patching should be treated as an emergency change, not a scheduled maintenance item. Follow your change management process but compress timelines. Every hour unpatched is an open window.
  • Review firewall management access controls. Restrict access to your PAN-OS management interface to trusted IP addresses only. If management is exposed to the public internet - even behind a VPN - reassess that exposure immediately.
  • Check your threat logs for indicators of compromise. Look for unusual outbound connections, unexpected process activity, or configuration changes you did not authorize. If you do not have a Security Operations Center (SOC) monitoring these logs, escalate this task to your most senior security resource now.
  • Notify your incident response chain. If you are a regulated institution under CBK, the Capital Markets Authority (CMA), or equivalent regulators in Ethiopia or Somalia, brief your compliance team now. Proactive disclosure posture protects you. Reactive disclosure after a breach does not.

DRONGO Recommendation

DRONGO's security team has direct experience assessing Palo Alto PAN-OS deployments across East African enterprise and government environments. If you are unsure whether your firewall fleet is exposed, we can perform an emergency vulnerability assessment and configuration review within 24 hours, giving you a clear, actionable remediation roadmap before attackers move first.

Is your organization protected? Request a free security assessment.