Critical Palo Alto firewall zero-day sparks accelerated patching amid rising supply chain and API abuse attacks

Palo Alto Networks warns of a critical zero-day flaw affecting its firewalls, as attackers rapidly exploit vulnerabilities, supply chain malware spreads, and API abuse increases, forcing a shift towards faster security responses and proactive monitoring.

Palo Alto Networks has warned customers about a critical zero-day in its PAN-OS firewall software, saying attackers are already trying to exploit it and that the flaw can hand an unauthenticated intruder root-level code execution through the User-ID authentication portal. TechRadar reported that the issue, tracked as CVE-2026-0300, affects PA-Series and VM-Series appliances exposed to the public internet or other untrusted networks, with about 5,800 vulnerable devices visible online, many in Asia and North America. Palo Alto said a fix is due to begin rolling out on 13 May, but until then it is telling administrators to restrict portal access to trusted internal networks or switch the service off altogether.

The timing matters because the gap between disclosure and exploitation is shrinking. The CyberHub Podcast framed the firewall issue as part of a broader shift in which defenders can no longer rely on patch windows measured in days or weeks, while other vendors are moving towards faster release cycles in response. Oracle, the podcast said, has shifted critical security updates from quarterly to monthly delivery, a sign that traditional maintenance schedules are increasingly out of step with how quickly attackers move.

That pressure is not confined to perimeter devices. Kaspersky said DAEMON Tools installers were trojanised in a supply-chain attack that used valid AVB Disc Soft digital signatures to help the malware blend in with legitimate software. The security firm said the compromised files have been circulating since 8 April and have reached several thousand devices across scores of countries. While most victims were home users, Kaspersky said some organisational systems were also touched, including a small number in government, scientific, manufacturing and retail environments.

The same theme is visible in the campaign around Instructure’s Canvas platform. According to the CyberHub Podcast, attackers claimed to have pulled 280 million records not by breaking a core security control, but by abusing legitimate API functionality to pull data at scale. That approach is harder to spot than a classic vulnerability exploit and underlines why monitoring for unusual access patterns has become as important as patching software.

Researchers also highlighted a separate operation involving Iran-linked MuddyWater, which the podcast described as a false-flag effort that used ransomware as cover for credential theft and data exfiltration. The broader lesson, echoed across the day’s reporting, is that attackers are increasingly blending technical compromise with deception, trust abuse and operational disruption. Against that backdrop, the FTC’s ban on data broker Kochava for selling precise location data without explicit consent points to a parallel tightening of privacy enforcement, while the industry’s move towards more dynamic cyber insurance underwriting suggests security posture is becoming a direct business cost.

Source Reference Map

Inspired by headline at: ^[1]

Sources by paragraph:

Source: Fuse Wire Services