Palo Alto Networks Warns of Unpatched PAN-OS Zero-Day Vulnerability Under Active Attack
Critical Palo Alto Networks Zero-Day (CVE-2026-0300) Actively Exploited for RCE
Related Entities(initial)
Organizations
Products & Tech
CVE Identifiers
Full Report(when first published)
Executive Summary
On May 6, 2026, Palo Alto Networks disclosed a critical zero-day vulnerability, CVE-2026-0300, in its PAN-OS software. The vulnerability is an unauthenticated buffer overflow in the User-ID™ Authentication Portal, also known as the Captive Portal. It has been assigned a CVSS score of 9.3 and allows for remote code execution (RCE) with root privileges. The company has confirmed active, albeit limited, exploitation of this flaw in the wild, primarily targeting internet-facing portals. Patches are currently unavailable, with fixes scheduled for release in waves starting mid-May 2026. Immediate mitigation by restricting network access to the User-ID Authentication Portal is strongly recommended for all affected customers.
Vulnerability Details
The vulnerability, CVE-2026-0300, is a buffer overflow weakness within the User-ID Authentication Portal component of PAN-OS. This portal is used to authenticate users whose identity cannot be determined automatically by the firewall. An unauthenticated attacker on the network can exploit this flaw by sending a specially crafted packet to a vulnerable device. Successful exploitation results in the ability to execute arbitrary code with the highest possible privileges (root) on the firewall appliance.
The exploitability of this vulnerability is considered high, as it requires no authentication and can be triggered by a remote attacker. Palo Alto Networks notes that the exploit is automatable, increasing the risk of widespread attacks.
The attack vector is the User-ID Authentication Portal service. The risk is highest when this portal is exposed to the internet or other untrusted networks. The CVSS 9.3 rating reflects this worst-case scenario.
Affected Systems
The vulnerability impacts multiple versions of PAN-OS software running on PA-Series (hardware) and VM-Series (virtual) firewalls. According to the advisory, the following versions are affected:
- PAN-OS versions before 12.1.4-h5
- PAN-OS versions before 11.2.7-h13, 11.2.10-h6
- PAN-OS versions before 11.1.4-h33, 11.1.6-h32, 11.1.10-h25, 11.1.13-h5
- PAN-OS versions before 10.2.10-h36, 10.2.18-h6
Products that are NOT affected include:
- Prisma Access
- Cloud NGFW
- Panorama appliances
Exploitation Status
Palo Alto Networks has confirmed that CVE-2026-0300 is being actively exploited in the wild. The exploitation is described as "limited," suggesting targeted attacks rather than a widespread, indiscriminate campaign at this time. The primary targets observed are firewalls with the User-ID Authentication Portal exposed to the public internet. The Cybersecurity and Infrastructure Security Agency of Singapore (CSA) has also issued an alert, corroborating the active exploitation and urging organizations to take immediate action.
Impact Assessment
A successful exploit of CVE-2026-0300 grants an attacker full control over a compromised firewall. This has severe security implications:
- Complete System Compromise: Attackers gain root access, allowing them to disable security functions, install persistent backdoors, and modify system configurations.
- Network Pivot Point: A compromised firewall, which sits at the perimeter of a network, becomes an ideal pivot point for attackers to launch further attacks against the internal network.
- Data Interception and Exfiltration: Attackers can monitor, modify, or redirect all traffic passing through the firewall, enabling them to steal sensitive data.
- Denial of Service: An attacker could disable the firewall, causing a complete network outage for the organization.
Given that firewalls are critical security infrastructure, the business impact of a compromise is extremely high, potentially leading to major data breaches, operational downtime, and significant financial and reputational damage.
Cyber Observables — Hunting Hints
The following patterns may help identify vulnerable or compromised systems:
/auth/portal/authdsystem logsauthd process crashing or any unexpected behavior related to the User-ID service.Detection Methods
Security teams should focus on identifying both vulnerable configurations and signs of active exploitation.
Identify Vulnerable Systems:
- Use your asset inventory to identify all Palo Alto Networks firewalls running affected PAN-OS versions.
- On each firewall, navigate to
Device > User Identification > Authentication Portal Settingsto determine if the portal is enabled and how it is configured. Check the access lists to see if it is exposed to untrusted networks.
Detect Exploitation Attempts:
- Network Traffic Analysis (D3-NTA): Monitor web access logs, firewall logs, and NetFlow data for connections to the User-ID Authentication Portal from unexpected or untrusted IP addresses. A sudden spike in traffic or connections from multiple geographically diverse IPs could indicate scanning or exploitation activity.
- Log Analysis: Scrutinize PAN-OS system logs for any crashes or restarts of the
authdprocess. These events might be logged with details that point to a buffer overflow or memory corruption error. - Endpoint Detection and Response (EDR): While the exploit targets the firewall itself, a successful compromise will likely be followed by lateral movement. Monitor for unusual activity originating from the firewall's own IP address within the internal network.
Remediation Steps
As patches are not yet available, mitigation is the only course of action.
Primary Mitigation (Recommended):
- Restrict Access: The most effective mitigation is to ensure the User-ID Authentication Portal is not exposed to untrusted networks. Modify security policies to restrict access to the portal to only trusted internal zones and specific, known IP addresses. This is a fundamental security best practice for any management interface.
- Verification: After applying access restrictions, test from an external network to confirm that the portal is no longer accessible.
Secondary Mitigation:
- Disable the Portal: If the User-ID Authentication Portal is not being used, disable it entirely. This can be done under
Device > User Identification > Authentication Portal Settings.
- Disable the Portal: If the User-ID Authentication Portal is not being used, disable it entirely. This can be done under
Patching (When Available):
- Palo Alto Networks plans to release patches in two waves:
- Wave 1: Around May 13, 2026
- Wave 2: Around May 28, 2026
- Organizations should create a plan to apply these patches as soon as they are released, prioritizing internet-facing and critical firewalls.
- Palo Alto Networks plans to release patches in two waves:
Timeline of Events
Article Updates
May 7, 2026
Severity increasedState-sponsored actor CL-STA-1132 identified exploiting CVE-2026-0300 with advanced TTPs; emergency patches and threat signatures released.
New intelligence from Unit 42 attributes active exploitation of CVE-2026-0300 to state-sponsored threat actor CL-STA-1132, who began exploiting the flaw on April 9, 2026. Post-compromise activities include deploying open-source tunneling tools like EarthWorm and ReverseSocks5, performing Active Directory enumeration, and meticulously destroying forensic evidence. Palo Alto Networks has now released emergency patches and Threat ID 510019 signatures for Advanced Threat Prevention subscribers, urging immediate application to mitigate the risk from this sophisticated campaign.
Update Sources:
May 7, 2026
Severity increasedCVE-2026-0300 exploitation linked to state-sponsored actor deploying backdoors and tunneling tools. Palo Alto Networks releases threat prevention signatures.
New details on the active exploitation of CVE-2026-0300 attribute the attacks to a sophisticated state-sponsored threat actor. This actor has been observed deploying backdoors, enumerating Active Directory, and utilizing network tunneling tools like EarthWorm and ReverseSocks5 for persistent access. Palo Alto Networks has responded by releasing specific threat prevention signatures (ID 95187) to aid customers in detecting and blocking exploitation attempts, providing an immediate mitigation beyond just restricting portal access. The exploitation timeline indicates probing began around April 9, 2026.
Update Sources:
May 8, 2026
Severity increasedCISA added CVE-2026-0300 to its KEV catalog, mandating federal agencies patch by May 9, 2026, underscoring the critical and actively exploited nature of the zero-day.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has officially added CVE-2026-0300 to its Known Exploited Vulnerabilities (KEV) catalog. This action mandates that all federal agencies apply mitigations or patches for the critical Palo Alto Networks zero-day by May 9, 2026. CISA's inclusion in the KEV catalog signifies the high confidence in active exploitation and elevates the urgency for all organizations to address the vulnerability immediately. The article also suggests the limited exploitation pattern points to sophisticated threat actors, possibly state-sponsored.
Update Sources:
May 11, 2026
Severity increasedCVSS score increased to 9.8, attributed to state-sponsored actors. Palo Alto Networks released Threat Prevention signatures for detection.
The CVSS score for CVE-2026-0300 has been updated from 9.3 to 9.8, reflecting an increased critical impact. Exploitation is now attributed to sophisticated state-sponsored threat actors, indicating a higher level of threat. Palo Alto Networks has released Threat Prevention signatures to aid in detecting and blocking exploitation attempts. A new hunting hint for the Captive Portal URL (https://
Update Sources:
Timeline of Events
Palo Alto Networks publicly discloses CVE-2026-0300 and confirms active exploitation.
Projected date for the first wave of security patches from Palo Alto Networks.
Projected date for the second wave of security patches from Palo Alto Networks.
Sources & References(when first published)
Article Author
Jason Gomes
• Cybersecurity PractitionerCybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.
Tags
📢 Share This Article
Help others stay informed about cybersecurity threats
🎯 MITRE ATT&CK Mapped
Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.
🧠 Enriched & Analyzed
Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.
🛡️ Actionable Guidance
Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.
🔗 STIX Visualizer
Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.
⚡ Sigma Generator
Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.