Palo Alto Networks firewalls have been actively exploited for nearly a month due to a critical zero-day vulnerability, identified as CVE-2026-0300, in its PAN-OS firewall software. This flaw, a buffer overflow in the User-ID Authentication Portal (also known as Captive Portal) service, allows unauthenticated attackers to execute arbitrary code with root privileges on affected PA-Series and VM-Series firewalls, posing a significant threat to network security.
The Critical Zero-Day Vulnerability: CVE-2026-0300
The vulnerability, tracked by Palo Alto Networks’ Unit 42 as CL-STA-1132, is a memory corruption flaw with a high CVSS rating of 9.3. It specifically targets the User-ID Authentication Portal, a feature designed to authenticate users whose identities aren’t automatically mapped by the firewall. Attackers can leverage specially crafted packets to achieve unauthenticated remote code execution (RCE) with root privileges. Post-exploitation activities observed include injecting shellcode into an nginx worker process, deploying tunneling tools like EarthWorm and ReverseSocks5, enumerating Active Directory, and systematically deleting logs to cover their tracks.
“The ability for unauthenticated attackers to gain root control over widely deployed firewalls represents a severe breach of trust and a direct gateway to an organization’s internal network.”
Exploitation attempts against PAN-OS devices commenced as early as April 9, 2026, with successful RCE achieved approximately a week later. Palo Alto Networks released a security advisory for CVE-2026-0300 on May 6, 2026. The initial round of patches is anticipated on May 13, 2026, with a subsequent round estimated for May 28, 2026.
Who and Where Affected by the Exploitation
Suspected state-sponsored hackers are believed to be behind the exploitation of this zero-day. The vulnerability impacts PA-Series hardware firewalls and VM-Series virtual firewalls where the User-ID Authentication Portal is enabled and exposed to untrusted IP addresses or the public internet. Fortunately, Prisma Access, Cloud NGFW, and Panorama appliances remain unaffected. Internet threat watchdog Shadowserver reported over 5,800 publicly exposed PAN-OS VM-series firewalls as of May 6, 2026, with a significant concentration in Asia (2,466) and North America (1,998).
Mitigating Risks to Palo Alto Networks Firewalls
Given the severe implications, immediate mitigation is crucial. Until full patches become available, Palo Alto Networks strongly advises restricting access to the User-ID Authentication Portal to trusted internal IP addresses only. If the portal is not essential for business operations, disabling it entirely is the safest course of action. A Threat Prevention signature (Threat IDs 95187, 95189, and 95191) was released on May 5, 2026, for PAN-OS 11.1 and newer versions, designed to help detect or block exploitation attempts. Organizations must act swiftly to protect their related Tech news and infrastructure from this ongoing threat.
The active exploitation of this zero-day allows attackers to gain complete, unauthenticated control of affected firewalls, effectively undermining network trust, enabling silent traffic monitoring, and exposing internal systems to broader compromise. The widespread adoption of Palo Alto firewalls by major enterprises and government organizations makes them prime targets for sophisticated threat actors, underscoring the urgency of applying the recommended mitigations and forthcoming patches to secure Palo Alto Networks firewalls against this critical vulnerability.




