Palo Alto Networks Patches Critical PAN-OS Zero-Day Used in Targeted Attacks

Palo Alto Networks has released emergency patches for a critical zero-day vulnerability (CVE-2026-0012) in PAN-OS, the operating system powering its next-generation firewalls and VPN appliances, that has been actively exploited by a suspected nation-state actor to breach government and defense networks.

The vulnerability exists in the GlobalProtect VPN portal and allows an unauthenticated remote attacker to execute arbitrary code with root privileges. Exploitation requires only a single specially crafted HTTPS request to the GlobalProtect interface.

Volexity, which discovered the attacks, observed the threat actor deploying a custom backdoor called "ShadowPAN" on compromised firewalls. The backdoor intercepts and copies all VPN authentication credentials while maintaining normal firewall operation, effectively providing the attacker with persistent access to the organization's VPN infrastructure.

Palo Alto Networks has released PAN-OS versions 10.2.11, 11.0.6, and 11.1.4 to address the vulnerability. As a temporary mitigation, organizations can disable the GlobalProtect portal if not required, or restrict access to trusted IP addresses.

CISA has added CVE-2026-0012 to its Known Exploited Vulnerabilities catalog and issued an emergency directive requiring all federal agencies to patch or mitigate within 48 hours. This is the second critical PAN-OS zero-day in six months, following CVE-2025-0015 discovered in July 2025.