The mechanics behind the headlines
CVE-2026-0300 gives an unauthenticated attacker root-level code execution on PAN-OS firewalls — no credentials, no interaction required. Here's how the Captive Portal became the entry point, what the attackers did next, and why owning the perimeter is a different category of problem.
Every connection your device makes starts with a DNS query. The answer to that query determines where you actually end up. Here is exactly how that system gets compromised — and why the fix has existed for twenty years without being deployed.
On January 22, 2026, nine lines were removed from a configuration file in Miami. Twenty-five minutes later, Cloudflare's engineers were manually reverting the change. Here is exactly what happened — and what it reveals about the protocol routing all global internet traffic.