Palo Alto PAN-OS Zero-Day Vulnerability Under Active Exploitation
- May 6
- 2 min read
Key Findings
Critical buffer overflow vulnerability CVE-2026-0300 in Palo Alto Networks PAN-OS is actively being exploited in the wild with limited confirmed attacks
Flaw affects authentication portals on PA-Series and VM-Series firewalls, allowing unauthenticated attackers to execute code with root privileges
CVSS score of 9.3 with low attack complexity means the vulnerability is easily exploitable and automatable for mass campaigns
More than 5,800 publicly exposed VM-Series firewalls identified by Shadowserver as of the advisory date
Palo Alto Networks has not yet released patches but promised initial fixes by May 13
Cloud NGFW and Panorama appliances are not impacted by this vulnerability
Background
Palo Alto Networks disclosed the critical vulnerability on Tuesday through an official advisory after confirming active exploitation. The Cybersecurity and Infrastructure Security Agency quickly added CVE-2026-0300 to its known exploited vulnerabilities catalog the following day. The memory corruption flaw specifically impacts the User-ID Authentication Portal, commonly known as the Captive Portal, which is used for user authentication on firewall systems. The company confirmed that attackers are targeting firewall instances exposed to the public internet or untrusted networks rather than those restricted to internal IP addresses.
The Vulnerability Details
CVE-2026-0300 is a buffer overflow vulnerability that allows unauthenticated attackers to send specially crafted packets to vulnerable authentication portals. The flaw enables out-of-bounds memory writes that ultimately grant full root-level access to affected firewalls. The attack requires no credentials, no user interaction, and has minimal complexity, making it straightforward to automate and deploy at scale. The vulnerability carries a CVSS 4.0 score of 9.3 when firewalls are exposed to the public internet, with high impact across confidentiality, integrity, and availability.
Affected Systems and Scale
The vulnerability impacts multiple PAN-OS versions across PA-Series and VM-Series firewall deployments. Shadowserver identified over 5,800 publicly exposed VM-Series firewalls running vulnerable PAN-OS versions as of the advisory date. However, the actual at-risk population remains unclear since many exposed instances may have restricted authentication access to trusted internal IP addresses or disabled the feature entirely. Notably, Prisma Access, Cloud NGFW, and Panorama appliances are not affected by this flaw, limiting the scope somewhat compared to what initial reports might suggest.
Current Exploitation and Threat Assessment
Palo Alto Networks confirmed that limited exploitation has already occurred, though the company has not disclosed the scope of attacks, targets, or objectives of confirmed threat actors. Security researchers expect exploitation to accelerate once patches become available and the broader security community develops public exploits. Caitlin Condon from VulnCheck noted that authentication portals have been frequent targets in both opportunistic and targeted campaigns, suggesting a likely uptick in attacks. Benjamin Harris, CEO of watchTowr, praised Palo Alto Networks for proactively alerting customers but acknowledged that the public advisory itself alerts potential attackers to the vulnerability's existence.
Mitigation and Timeline
Palo Alto Networks has provided mitigation guidance to customers and stated it will release the first software updates on May 13. The company did not attribute the attacks to any known threat group and has not published indicators of compromise. Researchers are actively hunting for malicious activity linked to the vulnerability while advising customers to apply patches immediately upon release. The lack of detailed attribution or compromise indicators makes it difficult for defenders to correlate potential attacks within their own environments before patches become available.
Sources
https://cyberscoop.com/palo-alto-networks-pan-os-firewall-zero-day-vulnerability-exploited/
https://www.cryptika.com/critical-palo-alto-firewalls-vulnerability-exploited-in-the-wild-to-gain-root-access/
https://www.securityweek.com/palo-alto-networks-to-patch-zero-day-exploited-to-hack-firewalls/

Comments