Live Threats
[CVE-2026-1234]Windows CLFS Driver zero-day — privilege escalation to SYSTEM, CISA KEV confirmed, patch immediately|
[CVE-2026-0891]Fortinet FortiOS authentication bypass — unauthenticated admin access, active exploitation in the wild|
[CVE-2026-2201]Palo Alto PAN-OS command injection — remote code execution on firewall management plane, CISA KEV listed|
[PATCH]Microsoft April 2026 Patch Tuesday — 147 CVEs addressed including 3 zero-days, deploy immediately|
[BREACH]Healthcare sector breach — 2.3M patient records exposed, PHI including SSNs and medical histories compromised|
[CVE-2026-1887]Chrome V8 type confusion RCE — remote code execution via malicious web page, update Chrome immediately|
[COMPLIANCE]PCI DSS 4.0.1 MFA deadline — mandatory multi-factor authentication enforcement now in effect for all merchants|
[CVE-2026-3310]Cisco IOS XE privilege escalation — authenticated users gain root on affected switches and routers, patch now|
[RANSOMWARE]LockBit 4.0 SMB campaign — RDP brute-force targeting small businesses, double-extortion, 72-hour ransom window|
[ADVISORY]Adobe Acrobat PDF phishing wave — malicious PDFs bypassing email filters, credential harvesting at scale|
[CVE-2026-1234]Windows CLFS Driver zero-day — privilege escalation to SYSTEM, CISA KEV confirmed, patch immediately|
[CVE-2026-0891]Fortinet FortiOS authentication bypass — unauthenticated admin access, active exploitation in the wild|
[CVE-2026-2201]Palo Alto PAN-OS command injection — remote code execution on firewall management plane, CISA KEV listed|
[PATCH]Microsoft April 2026 Patch Tuesday — 147 CVEs addressed including 3 zero-days, deploy immediately|
[BREACH]Healthcare sector breach — 2.3M patient records exposed, PHI including SSNs and medical histories compromised|
[CVE-2026-1887]Chrome V8 type confusion RCE — remote code execution via malicious web page, update Chrome immediately|
[COMPLIANCE]PCI DSS 4.0.1 MFA deadline — mandatory multi-factor authentication enforcement now in effect for all merchants|
[CVE-2026-3310]Cisco IOS XE privilege escalation — authenticated users gain root on affected switches and routers, patch now|
[RANSOMWARE]LockBit 4.0 SMB campaign — RDP brute-force targeting small businesses, double-extortion, 72-hour ransom window|
[ADVISORY]Adobe Acrobat PDF phishing wave — malicious PDFs bypassing email filters, credential harvesting at scale|
View All
Palo Alto PAN-OS CVE-2026-0984: Remote Code Execution Under Active Exploitation
Security News/Issue #16 — April 7 – April 13, 2026
BREACHCRITICALCVE-2026-0984

Palo Alto PAN-OS CVE-2026-0984: Remote Code Execution Under Active Exploitation

Published April 10, 2026
5 min read
Source: Palo Alto Networks Unit 42
SHARE:
Affected Systems
PAN-OS 10.2.xPAN-OS 11.0.xPAN-OS 11.1.xPAN-OS 11.2.x
Executive Summary

Palo Alto Networks confirmed active exploitation of CVE-2026-0984, a critical remote code execution vulnerability in PAN-OS management interfaces. Threat actors are using this to deploy backdoors and pivot into internal networks. CVSS score: 9.3.

Vulnerability Overview

Palo Alto Networks Unit 42 confirmed on April 8, 2026 that CVE-2026-0984, a critical remote code execution vulnerability in PAN-OS, is being actively exploited in the wild. The vulnerability exists in the web-based management interface of Palo Alto Networks Next-Generation Firewalls and Panorama management servers. An unauthenticated attacker with network access to the management interface can exploit this vulnerability to execute arbitrary code with root privileges on the affected device.

Exploitation Activity

Unit 42 has observed multiple threat actor groups exploiting this vulnerability, including a suspected nation-state group and at least two ransomware affiliate operations. Attackers are using the vulnerability to deploy persistent backdoors that survive reboots and firmware updates, create hidden administrator accounts, and use the compromised firewall as a launching point for attacks against internal network resources. In several confirmed incidents, attackers used the compromised firewall to intercept VPN credentials and gain access to internal systems.

Remediation Steps

Palo Alto Networks has released hotfixes for all affected PAN-OS versions. Apply the hotfix immediately. If you cannot patch immediately, restrict access to the management interface to trusted IP addresses using Palo Alto's management interface access restrictions. Do not expose the management interface to the internet under any circumstances. After patching, review your administrator account list, check for unauthorized configuration changes, and review your logs for signs of prior exploitation. Palo Alto has published an Indicators of Compromise (IoC) list that you can use to check your logs.

Key Takeaways & Action Items
  • Apply Palo Alto's hotfix immediately — do not wait
  • Restrict management interface access to trusted IP addresses only
  • Check for unauthorized configuration changes and new administrator accounts
  • Review firewall logs for lateral movement indicators
  • Contact Segler.Net if you need emergency patching assistance
Share This
LinkedInX / TwitterEmail

Need Help With This Threat?

Our San Antonio security team can assess your exposure, apply patches, and protect your business before attackers strike.

Schedule a Security ReviewCall (210) 496-7313

Stay ahead of the next threat

Get weekly security alerts — breaches, patch updates, compliance news, and threat intel — delivered free to your inbox every week.

Breach alerts
Patch roundups
Compliance news
No spam, ever
Back to Issue #16: April 7 – April 13, 2026
PREVIOUS ARTICLE
PCI DSS 4.0.1 — Are You Ready? Key Requirements Now Mandatory
NEXT ARTICLE
FBI Warns of Surge in Business Email Compromise Targeting CFOs with AI Voice Cloning
Talk with Us