Thought Leadership
A critical vulnerability in PAN-OS is already being actively exploited. Palo Alto Networks is working on patches, with the first round expected on May 13.
Palo Alto Networks is currently preparing patches for a critical zero-day vulnerability in PAN-OS that is already being actively used in attacks against the vendor’s firewalls. Tracked as CVE-2026-0300, the flaw resides in the User-ID Authentication Portal service (Captive Portal) and is based on a buffer overflow.
Root privileges without authentication
The vulnerability affects firewalls of the PA and VM series. Using specially crafted packets, unauthenticated remote attackers can execute arbitrary code with root privileges. For perimeter devices that are by definition exposed to the internet, this represents a worst-case scenario.
In a security advisory, the company confirms that attacks have already taken place. According to the vendor, “limited exploitation” has been observed targeting User-ID Authentication Portals exposed to untrusted IP addresses or the public internet.
Palo Alto Networks has not disclosed any further details about the attacks. However, in the industry, phrases such as “limited exploitation” typically point to highly targeted attacks carried out by sophisticated actors, often state-sponsored groups.
Two rounds of patches planned
The first security updates are scheduled for release on May 13, with a second wave planned for May 28. Until then, administrators will have to rely on workarounds.
Palo Alto Networks notes that only devices with an actively configured User-ID Authentication Portal are vulnerable. Restricting access to the portal to trusted internal IP addresses significantly reduces the risk of exploitation. Cloud products such as Prisma Access and Cloud NGFW, along with the management solution Panorama, are not affected according to the vendor.
Firewalls as a prime target
Due to their widespread adoption in enterprises and government agencies, Palo Alto appliances have been a focus for attackers for years. In 2025, only two vulnerabilities in the company’s appliances were exploited in the wild, making it a comparatively quiet year. 2024 looked much grimmer: seven flaws were exploited in the wild, in some cases by state-sponsored hacking groups that used the firewalls as a backdoor.
The Known Exploited Vulnerabilities catalog maintained by the US cybersecurity agency CISA currently lists 13 vulnerabilities in Palo Alto products. CVE-2026-0300 has not yet been added. Given the confirmed active exploitation, however, its inclusion is likely only a matter of time.
