Critical Zero-Day in Palo Alto PAN-OS Firewalls Under Active Mass Exploitation

Tuesday, March 31, 2026 at 06:00 PM UTC·Source: Palo Alto Networks PSIRT

Updated: Wednesday, April 1, 2026 at 08:00 AM UTC

Executive Summary

A critical unauthenticated RCE in PAN-OS GlobalProtect is being mass exploited. Over 25,000 devices vulnerable. CISA issues emergency directive.

Analysis

Palo Alto Networks has confirmed active exploitation of CVE-2026-0015, a critical command injection vulnerability in the GlobalProtect gateway. Unauthenticated attackers can execute arbitrary commands as root via crafted HTTPS requests. Volexity first observed exploitation on March 26 with rapid escalation. CISA issued Emergency Directive 26-02 requiring federal agencies to patch within 48 hours.

Timeline

Discovered

Mar 26, 2026

Exploitation Detected

Mar 26, 2026

Published

Mar 31, 2026

Patch Available

Mar 30, 2026

Indicators of Compromise (1)

CVE (1)

CVE-2026-0015

NVD MITRE CVE

Source Attribution

Originally published by Palo Alto Networks PSIRT on Mar 31, 2026. Verified by: CISA, Palo Alto Networks, Volexity.

Related Threats

LOWZero Day

EvilTokens abuses Microsoft device code flow for account takeovers

A new phishing-as-a-service (PhaaS) campaign is abusing Microsoft’s device code authentication flow to gain unauthorized access to user accounts. Sekoia researchers first spotted the toolkit “EvilTokens” that lets attackers capture authentication tokens by tricking users into completing a legitimate login process in Microsoft’s own environment. The activity, observed since at least mid-February, r

16h agoCSO Online

CRITICALZero Day

Cybersecurity in the age of instant software

AI is rapidly changing how software is written, deployed, and used. Trends point to a future where AIs can write custom software quickly and easily: “instant software.” Taken to an extreme, it might become easier for a user to have an AI write an application on demand — a spreadsheet, for example — and delete it when you’re done using it than to buy one commercially. Future systems could include a

20h agoCSO Online

CRITICALZero Day

Hackers exploit TrueConf zero-day to push malicious software updates

Hackers have targeted TrueConf conference servers in attacks that exploit a zero-day vulnerability, allowing them to execute arbitrary files on all connected endpoints. [...]

1d agoBleepingComputer