Critical PAN-OS zero-day vulnerability exploited in the wild, with no patches available
Palo Alto Networks warns that its widely deployed firewalls are under attack with hackers exploiting a critical zero-day vulnerability. Unauthenticated attackers can achieve remote code execution with root privileges, and no patches are yet available.
Network defenders are warned to immediately secure Palo Alto Networks (PAN) firewalls running PAN-OS firewalls.
The critical vulnerability affects the captive portal, known as User-ID™ Authentication Portal. This is a user-facing login page that prompts for authentication before accessing the network. If attackers can reach this portal, they can send a malicious request and run arbitrary code with root privileges on the firewall without any credentials.
Limited exploitation has already been observed by PAN itself, which is working to release emergency fixes, starting from May 13th, 2026.
The severity rating for the flaw, tracked as CVE-2026-0300, is 9.3 out of 10, indicating that it is critical and should be mitigated with the highest priority.
While the patches are underway, PAN suggests using workarounds and mitigations detailed in the security advisory.
These include restricting the captive portal as much as possible – to only trusted zones – or disabling it completely if not required. Anywhere where network interfaces are exposed to the public internet or untrusted networks, this functionality should be disabled.
Rapid7, a cybersecurity company, warns that approximately 225,000 PAN-OS instances are exposed to the open internet, creating a significant attack surface.
The vulnerability affects PA-Series and VM-Series firewalls. Prisma Access, Cloud NGFW, and Panorama appliances are not impacted by it.
“An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted packets to a device with the Authentication Portal enabled, achieving arbitrary code execution with root privileges on the affected firewall. No authentication or user interaction is required,” the Rapid7 advisory reads.
Wiz security researchers explain that this bug is a buffer overflow vulnerability, meaning that malicious network packets can include more data than the firewall can handle, causing an out-of-bounds write condition – outside the allocated memory space.
Check if your data has been leaked
Wiz data indicates that 7% of environments have publicly exposed PAN-OS instances. However, only a few dozen servers appear to expose ports used by the captive portal.
The US Cybersecurity and Infrastructure Security Agency (CISA) already added the bug to its Known Exploited Vulnerabilities catalog, giving federal agencies three more days, until May 9th, to secure the exposed systems.
“Until the vendor releases an official fix, the following workaround should be implemented: - Restrict User-ID Authentication Portal access to only trusted zones. - Disable User-ID Authentication Portal if not required,” CISA urges.
Implementing the proposed mitigations decreases the severity of the zero-day vulnerability to 8.7 out of 10, which is still a significant risk.
PAN researchers hint at nation-state threat actors
Unit 42, PAN's cyber threat intelligence team, suspects a “likely state-sponsored” threat cluster, tracked as CL-STA-1132, is behind the “limited exploitation” of the zero-day.
“The attackers successfully achieved RCE against the device and injected shellcode. Following the compromise, the attackers immediately conducted log cleanup to mitigate detection by clearing crash kernel messages, deleting nginx crash entries and nginx crash records, as well as removing crash core dump files,” the Unit 42 researchers said in a separate threat brief.
The attackers on the compromised systems deployed publicly available tunneling tools, such as EarthWorm, and ReverseSocks5. These SOCKS5 tools are used by attackers to bypass firewalls and establish outbound connections to attacker-controlled servers, establishing covert communication and control channels.
Curious what others think about this story? Contribute your thoughts to the debate below.
The attackers also mapped out the organization's network by enumerating (listing users, devices, groups, and permissions) Active Directory. The attackers also systemically destroyed logs and other evidence of compromise.
The report highlights that attackers work slowly over weeks, staying under “the behavioral thresholds of most automated alerting systems.”
To blend in, they abused legitimate user credentials and demonstrated “operational restraint” to stay undetected and maintain “long-term residency.”
Unlock more exclusive Cybernews content on YouTube.
