VYPR
kevPublished May 6, 2026· Updated May 17, 2026· 4 sources

Palo Alto Networks Confirms Active Exploitation of Critical PAN-OS Zero-Day (CVE-2026-0300)

Palo Alto Networks is addressing a critical, actively exploited zero-day vulnerability in its PAN-OS software that allows unauthenticated attackers to gain root-level remote code execution on firewall appliances.

Palo Alto Networks has confirmed that a critical zero-day vulnerability, tracked as CVE-2026-0300, is currently being exploited in the wild to target its firewall appliances. The flaw resides in the User-ID Authentication Portal—commonly referred to as the Captive Portal—of the company's PAN-OS software. By sending specially crafted packets to an exposed portal, an unauthenticated attacker can trigger a buffer overflow, ultimately achieving remote code execution (RCE) with root-level privileges on the affected device [Help Net Security, BleepingComputer].

The vulnerability affects PA-Series and VM-Series firewalls, with the severity of the risk depending on network configuration. The flaw carries a CVSS score of 9.3 when the portal is exposed to the public internet or untrusted networks, dropping to 8.7 if access is restricted to trusted internal IP addresses [The Hacker News]. While Palo Alto Networks has characterized the observed exploitation as "limited," the potential for widespread impact is significant; the internet-monitoring service Shadowserver has identified over 5,800 VM-series firewalls currently exposed to the public internet, with the highest concentrations in Asia and North America [BleepingComputer].

Palo Alto Networks has confirmed that Prisma Access, Cloud NGFW, and Panorama appliances are not impacted by this vulnerability [Help Net Security]. The vendor is currently working on patches, with the first wave of security updates scheduled for release on May 13, 2026, and a second set expected on May 28, 2026 [The Hacker News, SecurityWeek].

In the interim, the vendor strongly advises administrators to mitigate the risk by either disabling the User-ID Authentication Portal entirely—if it is not required for operations—or by restricting access to the portal to trusted internal zones only [BleepingComputer]. Following these standard security practices significantly reduces the attack surface for this vulnerability [Help Net Security].

Reflecting the urgency of the situation, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-0300 to its Known Exploited Vulnerabilities (KEV) catalog. This mandate requires Federal Civilian Executive Branch (FCEB) agencies to implement the recommended mitigations or apply patches by May 9, 2026 [The Hacker News]. While the company has not officially attributed the attacks to a specific threat actor, reports suggest the activity is likely the work of sophisticated, potentially state-sponsored groups [Help Net Security, SecurityWeek].

This incident continues a trend of high-profile security challenges for Palo Alto Networks, which serves a vast customer base including 90% of Fortune 10 companies. The frequent targeting of PAN-OS appliances—often through chained zero-day exploits—highlights the critical role these devices play in enterprise security and the persistent interest they draw from advanced persistent threat actors seeking to establish initial access or maintain persistence within sensitive networks [BleepingComputer, SecurityWeek].

Synthesized by Vypr AI