US cybersecurity giant Palo Alto Networks is preparing patches for a critical zero-day vulnerability affecting its PAN-OS firewalls. The attack is suspected to be linked to China.

On May 6th, Palo Alto Networks disclosed a buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal), described as a critical flaw, with a severity rating of 9.3 out of 10. The company’s Prisma Access, Cloud NGFW, and Panorama appliances are not affected.

The vulnerability, tracked as CVE-2026-0300, allows attackers to execute arbitrary code with root privileges. The flaw affects only PA-Series and VM-Series firewalls.

After exploitation, malicious actors used publicly available tunneling tools (EarthWorm, ReverseSocks5) to move traffic through the compromised networks and used login credentials likely obtained from the firewall to collect information from Active Directory, a Microsoft-developed identity and access management system for Windows networks. They then deleted logs and other evidence of compromise.

Palo Alto Networks said it is aware of “only limited exploitation of CVE-2026-0300 at this time”. Its security team believes the attacks are likely state-sponsored.

Customers are affected only if both of these are true: the User-ID Authentication Portal is enabled, and the firewall is configured to show response pages on any L3 interface where untrusted traffic can enter the network.

The company adds that the risk can be greatly reduced by restricting access to the User-ID™ Authentication Portal to only trusted internal IP addresses.

Although the attackers behind the activity have not been disclosed, Palo Alto Networks says a “likely state-sponsored” threat group tracked as CL-STA-1132 is responsible.

The first round of patches is expected to be released on May 13th, with a second round of fixes estimated for May 28th, according to Security Week.

---

Unlock more exclusive Cybernews content on YouTube.