Live Threats
[STRUTS]Apache Struts zero-day (CVE-2026-3101) under mass exploitation — ransomware groups deploying web shells on Java web apps. Patch immediately.|
[LAZARUS]North Korean Lazarus Group targets SMB defense contractors via fake LinkedIn recruiter profiles delivering trojanized job documents.|
[DEEPFAKE]Deepfake CEO video call fraud stole $3.2M in a single transaction. AI voice and face synthesis now indistinguishable — targeting US SMBs.|
[CHROME]CVE-2026-2356 Chrome zero-day actively exploited to deliver spyware. Update to 136.0.7103.92 immediately on all devices.|
[HIPAA]HHS finalized major HIPAA Security Rule updates — mandatory encryption at rest, MFA, and annual pen testing effective December 31, 2026.|
[CISA KEV]CISA added 15 new KEV entries this week — six are priority patches for internet-facing systems including Struts, Chrome, Cisco, Fortinet, Ivanti, and VMware.|
[STRUTS]Apache Struts zero-day (CVE-2026-3101) under mass exploitation — ransomware groups deploying web shells on Java web apps. Patch immediately.|
[LAZARUS]North Korean Lazarus Group targets SMB defense contractors via fake LinkedIn recruiter profiles delivering trojanized job documents.|
[DEEPFAKE]Deepfake CEO video call fraud stole $3.2M in a single transaction. AI voice and face synthesis now indistinguishable — targeting US SMBs.|
[CHROME]CVE-2026-2356 Chrome zero-day actively exploited to deliver spyware. Update to 136.0.7103.92 immediately on all devices.|
[HIPAA]HHS finalized major HIPAA Security Rule updates — mandatory encryption at rest, MFA, and annual pen testing effective December 31, 2026.|
[CISA KEV]CISA added 15 new KEV entries this week — six are priority patches for internet-facing systems including Struts, Chrome, Cisco, Fortinet, Ivanti, and VMware.|
View All
Palo Alto PAN-OS CVE-2026-0984: Remote Code Execution Under Active Exploitation
Security News/Issue #16 — April 7 – April 13, 2026
BREACHCRITICALCVE-2026-0984

Palo Alto PAN-OS CVE-2026-0984: Remote Code Execution Under Active Exploitation

Published April 10, 2026
5 min read
Source: Palo Alto Networks Unit 42
SHARE:
Affected Systems
PAN-OS 10.2.xPAN-OS 11.0.xPAN-OS 11.1.xPAN-OS 11.2.x
Executive Summary

Palo Alto Networks confirmed active exploitation of CVE-2026-0984, a critical remote code execution vulnerability in PAN-OS management interfaces. Threat actors are using this to deploy backdoors and pivot into internal networks. CVSS score: 9.3.

What Happened

Palo Alto Networks Unit 42 confirmed on April 8, 2026 that CVE-2026-0984, a critical remote code execution vulnerability in PAN-OS, is being actively exploited in the wild. The vulnerability exists in the web-based management interface of Palo Alto Networks Next-Generation Firewalls and Panorama management servers. An unauthenticated attacker with network access to the management interface can exploit this vulnerability to execute arbitrary code with root privileges on the affected device.

Exploitation Activity

Unit 42 has observed multiple threat actor groups exploiting this vulnerability, including a suspected nation-state group and at least two ransomware affiliate operations. Attackers are using the vulnerability to deploy persistent backdoors that survive reboots and firmware updates, create hidden administrator accounts, and use the compromised firewall as a launching point for attacks against internal network resources. In several confirmed incidents, attackers used the compromised firewall to intercept VPN credentials and gain access to internal systems.

Remediation Steps

Palo Alto Networks has released hotfixes for all affected PAN-OS versions. Apply the hotfix immediately. If you cannot patch immediately, restrict access to the management interface to trusted IP addresses using Palo Alto's management interface access restrictions. Do not expose the management interface to the internet under any circumstances. After patching, review your administrator account list, check for unauthorized configuration changes, and review your logs for signs of prior exploitation. Palo Alto has published an Indicators of Compromise (IoC) list that you can use to check your logs.

Key Takeaways & Action Items
  • Apply Palo Alto's hotfix immediately — do not wait for your next maintenance window
  • Restrict management interface access to trusted IP addresses only
  • Check for unauthorized configuration changes and new administrator accounts
  • Review firewall logs for lateral movement indicators
  • Contact Segler.Net if you need emergency patching assistance
Share This
LinkedInX / TwitterEmail

Need Help With This Threat?

Our San Antonio security team can assess your exposure, apply patches, and protect your business before attackers strike.

Schedule a Security ReviewCall (210) 496-7313

Stay ahead of the next threat

Get weekly security alerts — breaches, patch updates, compliance news, and threat intel — delivered free to your inbox every week.

Breach alerts
Patch roundups
Compliance news
No spam, ever
Back to Issue #16: April 7 – April 13, 2026
PREVIOUS ARTICLE
Microsoft April 2026 Patch Tuesday: 147 CVEs, 3 Zero-Days Fixed
NEXT ARTICLE
FBI Warns of Surge in Business Email Compromise Targeting CFOs with AI Voice Cloning