Nation-state actors have been exploiting a critical zero-day vulnerability, CVE-2026-0300, in Palo Alto's PAN-OS for nearly a month, gaining root access to exposed firewalls and concealing their activities by deleting logs and other evidence1. The attackers have utilized tunneling tools, such as EarthWorm and ReverseSocks5, to further compromise targeted networks, and have also used stolen credentials to probe Active Directory. Palo Alto Networks has acknowledged the limited exploitation of this vulnerability, which has been attributed to suspected state-sponsored hackers. The exploitation of CVE-2026-0300 allows attackers to gain unrestricted access to vulnerable firewalls, making it a high-priority issue for organizations using PAN-OS. This vulnerability matters to security practitioners because it highlights the need for prompt patching and monitoring to prevent similar attacks, as the exploitation status of CVE-2026-0300 determines whether this is a patch-now or monitor situation.