VYPR
advisoryPublished May 8, 2026· Updated May 17, 2026· 7 sources

Critical Unpatched Zero-Day Found in Palo Alto Networks PAN-OS

Palo Alto Networks has warned of a critical, unpatched zero-day vulnerability in its PAN-OS software that is currently being exploited in the wild to achieve remote code execution.

Palo Alto Networks has issued an urgent warning regarding a critical, unpatched zero-day vulnerability in its PAN-OS software, which is currently being actively exploited in the wild SentinelOne Labs. The vulnerability, tracked as CVE-2026-0300, affects the PAN-OS User-ID Authentication Portal, also known as the Captive Portal SentinelOne Labs.

The flaw is a buffer overflow vulnerability that allows unauthenticated attackers to execute arbitrary code with root privileges on affected systems SentinelOne Labs. By targeting the authentication portal, attackers can bypass standard security controls to gain full control over the underlying appliance SentinelOne Labs.

While specific details regarding the scale of the exploitation remain limited, the active nature of the attacks highlights a significant risk to organizations relying on Palo Alto Networks' infrastructure. Security teams are urged to monitor their environments for signs of unauthorized access or anomalous activity originating from their perimeter gateways.

As of the current reporting, no patch has been released to address this zero-day vulnerability SentinelOne Labs. Organizations are advised to implement immediate mitigations, such as restricting access to the Captive Portal or disabling the affected service if it is not strictly required for business operations, until an official security update is provided by the vendor.

This incident occurs against a backdrop of increasing pressure on security operations centers (SOCs) to manage a rapidly expanding volume of vulnerabilities. With NIST recently scaling back its enrichment of the National Vulnerability Database (NVD), defenders are increasingly forced to rely on vendor-specific intelligence to prioritize and respond to critical threats like CVE-2026-0300 Tenable Blog. The emergence of this zero-day underscores the ongoing challenge of securing perimeter infrastructure against sophisticated, unauthenticated remote code execution attacks.

Synthesized by Vypr AI