Actively Exploited Zero-Day (CVE-2026-0300) in PAN-OS Allows RCE on Palo Alto Networks Firewalls
Palo Alto Networks Firewall Zero-Day Exploited in the Wild, CISA Orders Urgent Patch
Related Entities(initial)
Organizations
Products & Tech
CVE Identifiers
Full Report(when first published)
Executive Summary
Palo Alto Networks has confirmed a critical-severity zero-day vulnerability, CVE-2026-0300, in its PAN-OS software is being actively exploited in the wild. The flaw, a buffer overflow in the firewall's Captive Portal (User-ID Authentication Portal), allows an unauthenticated remote attacker to execute arbitrary code with root privileges. The vulnerability affects internet-facing PA-Series and VM-Series firewalls where the Captive Portal is enabled. Due to evidence of limited but active exploitation, likely by state-sponsored actors, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added it to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies apply mitigations by May 9, 2026. Patches are in development, and customers are urged to apply workarounds immediately.
Vulnerability Details
CVE-2026-0300 is a buffer overflow vulnerability. It can be triggered by sending specially crafted packets to the User-ID Authentication Portal, commonly known as the Captive Portal, which is used to identify users on the network. A successful exploit does not require any authentication and results in remote code execution (RCE) with the highest possible privileges (root) on the firewall appliance itself. Gaining control of a perimeter firewall is a catastrophic security failure, as it allows an attacker to monitor, modify, and redirect all network traffic, disable security policies, and pivot into the internal network.
Affected Systems
The vulnerability affects the following Palo Alto Networks products running PAN-OS with the Captive Portal feature enabled and exposed to the internet or untrusted networks:
- PA-Series (Hardware Firewalls)
- VM-Series (Virtual Firewalls)
Palo Alto Networks has confirmed that its Cloud NGFW, Panorama appliances, and Prisma Access products are not affected.
Exploitation Status
The vulnerability is under active, albeit limited, exploitation. This pattern of use typically suggests that a sophisticated threat actor, such as a nation-state group, is using the exploit for high-value targeted attacks rather than widespread, indiscriminate campaigns. CISA's inclusion of CVE-2026-0300 in the KEV catalog confirms the active threat and elevates the urgency for all organizations to take action.
Impact Assessment
The impact of exploiting CVE-2026-0300 is critical. An attacker with root access on a perimeter firewall effectively owns the network boundary. They can:
- Intercept and decrypt traffic.
- Bypass all firewall security policies.
- Gain a persistent foothold on a critical piece of network infrastructure.
- Launch attacks against the internal network from a trusted position.
- Install malware or backdoors on the firewall itself. This level of access could facilitate espionage, data exfiltration, or the deployment of ransomware across the entire organization.
Cyber Observables — Hunting Hints
The following patterns may help identify vulnerable or compromised systems:
url_pattern/sslvpn/portal.esplog_sourceauthd process), or the creation of unusual files in /tmp.network_traffic_patternprocess_nameauthd or other web-related services.authd service.Detection Methods
- Vulnerability Scanners: Use vulnerability management tools to scan for exposed Palo Alto Networks firewalls and check for the specific PAN-OS versions affected.
- Log Analysis: Ingest firewall traffic and system logs into a SIEM. Create rules to alert on anomalous traffic to the Captive Portal URL or any outbound connections originating from the firewall's management plane. D3FEND's
D3-NTA - Network Traffic Analysisis crucial for spotting exploit attempts and post-compromise C2 traffic. - Threat Hunting: Proactively hunt for the observables listed above. Check for any unexplained configuration changes, new local user accounts on the firewall, or unusual files on the filesystem.
Remediation Steps
- Apply Mitigations Immediately: Do not wait for the patch. Palo Alto Networks strongly advises customers to restrict access to the User-ID Authentication Portal. This can be done by applying an access control policy to the portal interface that only allows access from trusted, internal IP addresses. This breaks the remote attack chain.
- Disable Captive Portal if Unused: If the Captive Portal feature is not essential for business operations, disable it entirely to remove the attack surface.
- Apply Patches: Monitor Palo Alto Networks' security advisories and apply the forthcoming patches for CVE-2026-0300 on an emergency basis as soon as they are released (expected May 13 and May 28). This is the only permanent fix (
M1051 - Update Software). - Threat Hunt: After applying mitigations, hunt for any signs of prior compromise using the detection methods described above.
Timeline of Events
Article Updates
May 9, 2026
CISA's May 9 deadline for federal agencies to mitigate CVE-2026-0300 precedes the patch release by four days, creating a critical window of heightened exploitation risk.
Update Sources:
MITRE ATT&CK Mitigations
Update Software
Applying the vendor-supplied patch is the only permanent solution to remediate the vulnerability.
Restricting access to the vulnerable Captive Portal interface to only trusted internal networks is the most effective immediate mitigation.
If the Captive Portal feature is not in use, disabling it entirely removes the attack surface.
Filter Network Traffic
Proper network filtering and segmentation can limit an attacker's ability to reach the vulnerable interface from the internet.
D3FEND Defensive Countermeasures
The most critical and immediate defense against CVE-2026-0300 is to apply strict Inbound Traffic Filtering to the firewall's own management and service interfaces. The Captive Portal should never be exposed to the public internet. Administrators must configure an access control policy on the firewall itself that explicitly denies all traffic to the Captive Portal interface from untrusted zones (like the internet) and only allows traffic from a tightly controlled set of internal, trusted IP addresses (e.g., a specific management subnet). This directly implements the vendor's primary mitigation advice. It breaks the attack chain by preventing the unauthenticated remote attacker from ever reaching the vulnerable code path, effectively neutralizing the threat until a patch can be applied.
While mitigations are crucial for immediate protection, the only definitive long-term solution for CVE-2026-0300 is to apply the security patches provided by Palo Alto Networks. Organizations must establish an emergency patching process for critical, actively exploited vulnerabilities like this one. This involves subscribing to vendor security advisories, identifying all affected assets (PA-Series and VM-Series firewalls), and scheduling an urgent maintenance window to deploy the patched PAN-OS version. Given the CISA KEV directive, this should be treated with the highest priority. After patching, it is essential to verify that the update was successful and that the firewall is no longer vulnerable.
For detecting potential compromise before or after patching, Network Traffic Analysis is vital. Security teams should use a SIEM or network monitoring tool to analyze traffic logs to and from the firewall's service interfaces. Specifically, create alerts for any external IP addresses attempting to connect to the Captive Portal URL (/sslvpn/portal.esp). Furthermore, monitor for any outbound connections originating from the firewall's management IP address to unknown external destinations. A firewall's management plane should have almost no reason to initiate outbound connections; such activity is a strong indicator of a post-compromise C2 beacon. This provides a crucial detective control to identify if the firewall has already been compromised.
Timeline of Events
Palo Alto Networks discloses the zero-day vulnerability CVE-2026-0300 and its active exploitation.
CISA adds CVE-2026-0300 to its Known Exploited Vulnerabilities (KEV) catalog.
Deadline for U.S. federal agencies to apply mitigations for CVE-2026-0300.
Expected release date for the first set of patches from Palo Alto Networks.
Sources & References(when first published)
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats
🎯 MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
🧠 Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
🛡️ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
🔗 STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
⚡ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.