top of page

Palo Alto PAN-OS Zero-Day Vulnerability Under Active Exploitation

  • May 6
  • 2 min read

Key Findings


  • Critical buffer overflow vulnerability CVE-2026-0300 in Palo Alto Networks PAN-OS is actively being exploited in the wild with limited confirmed attacks

  • Flaw affects authentication portals on PA-Series and VM-Series firewalls, allowing unauthenticated attackers to execute code with root privileges

  • CVSS score of 9.3 with low attack complexity means the vulnerability is easily exploitable and automatable for mass campaigns

  • More than 5,800 publicly exposed VM-Series firewalls identified by Shadowserver as of the advisory date

  • Palo Alto Networks has not yet released patches but promised initial fixes by May 13

  • Cloud NGFW and Panorama appliances are not impacted by this vulnerability


Background


Palo Alto Networks disclosed the critical vulnerability on Tuesday through an official advisory after confirming active exploitation. The Cybersecurity and Infrastructure Security Agency quickly added CVE-2026-0300 to its known exploited vulnerabilities catalog the following day. The memory corruption flaw specifically impacts the User-ID Authentication Portal, commonly known as the Captive Portal, which is used for user authentication on firewall systems. The company confirmed that attackers are targeting firewall instances exposed to the public internet or untrusted networks rather than those restricted to internal IP addresses.


The Vulnerability Details


CVE-2026-0300 is a buffer overflow vulnerability that allows unauthenticated attackers to send specially crafted packets to vulnerable authentication portals. The flaw enables out-of-bounds memory writes that ultimately grant full root-level access to affected firewalls. The attack requires no credentials, no user interaction, and has minimal complexity, making it straightforward to automate and deploy at scale. The vulnerability carries a CVSS 4.0 score of 9.3 when firewalls are exposed to the public internet, with high impact across confidentiality, integrity, and availability.


Affected Systems and Scale


The vulnerability impacts multiple PAN-OS versions across PA-Series and VM-Series firewall deployments. Shadowserver identified over 5,800 publicly exposed VM-Series firewalls running vulnerable PAN-OS versions as of the advisory date. However, the actual at-risk population remains unclear since many exposed instances may have restricted authentication access to trusted internal IP addresses or disabled the feature entirely. Notably, Prisma Access, Cloud NGFW, and Panorama appliances are not affected by this flaw, limiting the scope somewhat compared to what initial reports might suggest.


Current Exploitation and Threat Assessment


Palo Alto Networks confirmed that limited exploitation has already occurred, though the company has not disclosed the scope of attacks, targets, or objectives of confirmed threat actors. Security researchers expect exploitation to accelerate once patches become available and the broader security community develops public exploits. Caitlin Condon from VulnCheck noted that authentication portals have been frequent targets in both opportunistic and targeted campaigns, suggesting a likely uptick in attacks. Benjamin Harris, CEO of watchTowr, praised Palo Alto Networks for proactively alerting customers but acknowledged that the public advisory itself alerts potential attackers to the vulnerability's existence.


Mitigation and Timeline


Palo Alto Networks has provided mitigation guidance to customers and stated it will release the first software updates on May 13. The company did not attribute the attacks to any known threat group and has not published indicators of compromise. Researchers are actively hunting for malicious activity linked to the vulnerability while advising customers to apply patches immediately upon release. The lack of detailed attribution or compromise indicators makes it difficult for defenders to correlate potential attacks within their own environments before patches become available.


Sources


  • https://cyberscoop.com/palo-alto-networks-pan-os-firewall-zero-day-vulnerability-exploited/

  • https://www.cryptika.com/critical-palo-alto-firewalls-vulnerability-exploited-in-the-wild-to-gain-root-access/

  • https://www.securityweek.com/palo-alto-networks-to-patch-zero-day-exploited-to-hack-firewalls/

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page