Critical Cisco Secure Email Gateway and PAN-OS Flaws Expose Perimeter Devices
Cisco disclosed a critical vulnerability in Secure Email Gateway appliances running affected AsyncOS versions when inbound mail rules use File Analysis (Cisco AMP) or Content Filter features and the bundled Content Scanner Tools are older than 23.3.0.4823. Successful exploitation can let an attacker overwrite files at the operating-system level, enabling root-level account creation, configuration changes, arbitrary code execution, and denial of service. Cisco released software updates and said no alternative mitigations are available.
Palo Alto Networks also issued fixes for a serious PAN-OS management interface flaw that allows an unauthenticated attacker to execute certain PHP scripts and affect the integrity and confidentiality of the firewall, though the vendor said it does not permit arbitrary remote code execution. Exploitation attempts have already been observed and proof-of-concept code is public, increasing urgency for exposed management interfaces. Palo Alto said Cloud NGFW and Prisma Access are not affected, while PAN-OS 11.0 is out of support and will not receive a patch.
Timeline
Feb 14, 2025
Exploitation and PoC reported for PAN-OS vulnerability
By the time of disclosure, exploitation attempts against the PAN-OS vulnerability had already been observed and proof-of-concept code had been published. Organizations were urged to update immediately and apply Palo Alto's mitigation guidance.
Feb 14, 2025
Palo Alto releases PAN-OS updates for management interface flaw
Palo Alto Networks released security updates for a serious PAN-OS vulnerability affecting firewall management interfaces. The flaw allows an unauthenticated attacker to execute certain PHP scripts and could impact the integrity and confidentiality of PAN-OS; PAN-OS 11.0 is out of support and will not receive a fix.
Jul 18, 2024
Cisco fixes critical Secure Email Gateway file overwrite flaw
Cisco released a software update for a critical vulnerability in Cisco Secure Email Gateway affecting vulnerable Cisco AsyncOS deployments with specific email-processing features enabled and outdated Content Scanner Tools. Successful exploitation could allow arbitrary file overwrite, root-level user creation, configuration changes, code execution, or denial of service.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Affected Products
Sources
Related Stories
Active Exploitation of PAN-OS Captive Portal Flaw Gives Attackers Root on Firewalls
Palo Alto Networks disclosed **CVE-2026-0300**, a critical buffer overflow in the PAN-OS **User-ID Authentication Portal** (also called the Captive Portal) that is being exploited in the wild to achieve unauthenticated remote code execution with **root privileges**. The flaw is an out-of-bounds write triggered by specially crafted packets and affects exposed **PA-Series** and **VM-Series** firewalls running multiple PAN-OS 10.2, 11.1, 11.2, and 12.1 versions. Palo Alto assigned the issue a **CVSS 9.3** when the portal is reachable from the public internet or other untrusted networks, and **8.7** when access is limited to trusted internal IP addresses. The company said observed attacks have focused on Authentication Portal instances exposed to untrusted IP addresses, while **Prisma Access**, **Cloud NGFW**, and **Panorama** are not affected. At disclosure, fixes were not yet broadly available, with patch releases scheduled to begin in mid-May and continue through late May 2026. Palo Alto urged customers to immediately restrict portal access to trusted zones or internal IPs, or disable the Authentication Portal if it is not required, and said a **Threat Prevention Signature** for PAN-OS 11.1 and later was released as an added mitigation layer.
Today
Palo Alto PAN-OS Vulnerabilities Including ADNS DoS (CVE-2026-0229)
Palo Alto Networks published fixes for multiple **PAN-OS** vulnerabilities affecting supported releases (including PAN-OS 12.1, 11.2, 11.1, and 10.2) and related services such as *Prisma Access* and *Prisma Browser*. The Canadian Centre for Cyber Security amplified the vendor guidance, pointing organizations to apply updates and mitigations for PAN-OS and Prisma products, including **CVE-2026-0228** and **CVE-2026-0229**, and a separate Chromium monthly update advisory referenced by Palo Alto. **CVE-2026-0229** is a network-reachable denial-of-service condition in PAN-OS’s **Advanced DNS Security (ADNS)** feature that can allow an unauthenticated attacker to trigger system reboots with a maliciously crafted packet; repeated triggering can push a firewall into maintenance mode, creating a high availability impact. Exposure requires ADNS to be enabled and a spyware profile action set to `block`, `sinkhole`, or `alert` (i.e., not `allow`); Palo Alto stated *Cloud NGFW* and *Prisma Access* are not impacted by this specific issue and reported no known exploitation. **CVE-2026-0228** involves improper certificate validation that can allow Windows Terminal Server Agents to connect using expired certificates under certain configurations, with no workaround noted by the vendor; affected organizations are advised to upgrade to fixed PAN-OS versions per Palo Alto’s guidance.
1 months ago
Palo Alto Networks PAN-OS GlobalProtect DoS Vulnerability (CVE-2026-0227)
Palo Alto Networks released fixes for **CVE-2026-0227**, a high-severity denial-of-service vulnerability in **PAN-OS** that can be triggered by an **unauthenticated** attacker when the **GlobalProtect gateway or portal** is enabled on affected next-generation firewall and *Prisma Access* configurations. Repeated exploitation attempts can force impacted firewalls into **maintenance mode**, effectively disabling protections and causing service disruption; Palo Alto Networks stated there are **no workarounds** and advised upgrading to patched releases. Reporting indicates a **proof-of-concept (PoC)** exploit exists, although Palo Alto Networks said it had **no evidence of in-the-wild exploitation** at the time of advisory publication. Exposure risk remains material given the large number of internet-facing Palo Alto Networks firewalls observed online (with Shadowserver tracking roughly **6,000** exposed devices) and ongoing scanning activity historically targeting exposed GlobalProtect endpoints; administrators should prioritize patching across affected PAN-OS and Prisma Access versions and validate whether GlobalProtect is enabled on externally reachable interfaces.
1 months ago