Palo Alto Networks is working on patches for a critical PAN-OS zero-day that has been exploited to hack some of the company’s firewall models.
Tracked as CVE-2026-0300, the vulnerability has been described as a buffer overflow affecting the User-ID Authentication Portal (Captive Portal) service of PAN-OS software.
The zero-day affects PA and VM series firewalls, allowing an unauthenticated attacker to execute malicious code with root privileges via specially crafted packets.
“Limited exploitation has been observed targeting Palo Alto Networks User-ID Authentication Portals that are exposed to untrusted IP addresses and/or the public internet,” Palo Alto Networks said in an advisory.
No other information has been shared about the attacks exploiting CVE-2026-0300, but limited exploitation typically indicates that a flaw has been leveraged in highly targeted attacks by sophisticated threat actors, often state-sponsored groups.
The vendor is aiming to release the first round of patches on May 13, with a second round of fixes estimated for May 28.
The cybersecurity giant noted that the flaw affects only PA and VM series firewalls configured to use the User-ID Authentication Portal. Limiting access to the portal to trusted internal IPs significantly reduces the risk of exploitation.
According to Palo Alto Networks, Prisma Access, Cloud NGFW, and Panorama appliances are not affected by CVE-2026-0300.
Given their widespread adoption across major enterprises and government organizations, Palo Alto firewalls are prime targets for sophisticated threat actors.
While only two vulnerabilities in the company’s appliances were exploited in the wild in 2025, 2024 saw a significantly higher number, with seven exploited flaws, including by state-sponsored hackers.
CISA’s Known Exploited Vulnerabilities (KEV) catalog currently includes 13 Palo Alto product vulnerabilities, but CVE-2026-0300 has not yet been included.
UPDATE: Palo Alto Networks has provided the following statement to SecurityWeek:
Palo Alto Networks has released CVE-2026-0300 which identifies a security vulnerability affecting a specific service in certain versions of PAN-OS software. This vulnerability is specific to a limited number of customers with their User-ID Authentication Portal (Captive Portal) exposed to the public internet or untrusted IP addresses. We have observed limited exploitation of this issue and are working to release software fixes, with the first updates expected to be available on May 13, 2026.We have provided clear mitigation guidance to our customers to secure their environments immediately. This issue does not impact Cloud NGFW or Panorama appliances. We remain committed to a transparent, security-first approach to protect our global customer base.
UPDATE 2, May 8: Palo Alto Networks has shared some information on the exploitation of the zero-day. The company has not directly attributed the attack to a specific threat actor or country, but the evidence seems to point to China.
Related: Exploitation of ‘Copy Fail’ Linux Vulnerability Begins
Related: Over 40,000 Servers Compromised in Ongoing cPanel Exploitation
Related: MetInfo, Weaver E-cology Vulnerabilities in Attackers’ Crosshairs
