A critical zero-day vulnerability in Palo Alto Networks’ PAN-OS software is actively being exploited in the wild, granting unauthenticated attackers complete root-level access to affected firewalls. The flaw, tracked as CVE-2026-0300, carries a CVSS 4.0 score of 9.3 and represents one of the most severe firewall vulnerabilities disclosed in 2026.
What Is CVE-2026-0300?
CVE-2026-0300 is a buffer overflow vulnerability residing in the User-ID Authentication Portal (also referred to as the Captive Portal) service of PAN-OS. This component is responsible for authenticating users before granting them access to network resources. The vulnerability can be triggered remotely by an unauthenticated attacker — requiring no credentials, no user interaction, and no special preconditions.
Successful exploitation allows an attacker to execute arbitrary code with full root privileges on the underlying system, effectively taking over the firewall entirely. Affected platforms include PA-Series physical firewalls and VM-Series virtual firewalls running vulnerable versions of PAN-OS.
Active Exploitation in the Wild
Palo Alto Networks has confirmed that limited exploitation has already been observed targeting User-ID Authentication Portals exposed to untrusted IP addresses or directly to the public internet. Threat intelligence firm Shadowserver is currently tracking more than 5,800 exposed PAN-OS VM-Series firewalls reachable from the internet, with the largest concentrations found in Asia and North America.
The nature of the current exploitation suggests a targeted campaign at this stage, though the wide attack surface — thousands of internet-facing firewalls — means that broad opportunistic exploitation could follow rapidly. Security researchers at Wiz, Field Effect, and Lyrie Research have all published technical analyses confirming the severity and real-world feasibility of exploitation.
Affected Products and Patch Timeline
The vulnerability affects multiple PAN-OS branches. Palo Alto Networks has committed to rolling out patches between May 13 and May 28, 2026, depending on the specific PAN-OS version. Until patches are available, organizations must apply workarounds immediately.
- PA-Series physical firewalls running affected PAN-OS versions
- VM-Series virtual firewalls running affected PAN-OS versions
- Any deployment where the User-ID Authentication Portal is exposed to untrusted networks or the public internet
Immediate Mitigation Steps
Palo Alto Networks has issued urgent guidance for administrators managing affected systems. Until official patches arrive, organizations should take one of the following actions without delay:
- Restrict portal access: Limit the Authentication Portal to trusted internal IP addresses only, following Palo Alto’s best-practice guidelines for Captive Portal deployment.
- Disable if unused: If the User-ID Authentication Portal is not operationally required, disable it entirely to eliminate the attack surface.
- Enhance monitoring: Implement logging and alerting for anomalous authentication requests or unusual traffic directed at the portal service.
Why This Matters for Enterprise Security
Enterprise firewalls are not merely network appliances — they are the gatekeepers of an organization’s entire perimeter. A successful root-level compromise of a firewall gives an attacker unparalleled access: the ability to intercept, redirect, or manipulate all traffic flowing through the device; pivot directly into internal networks; disable security policies; and establish persistent backdoors that survive reboots and firmware updates.
The unauthenticated nature of this vulnerability makes it especially dangerous. Automated exploit toolkits can scan and compromise vulnerable firewalls at scale, as seen with previous Palo Alto zero-days like CVE-2024-3400, which was mass-exploited within hours of public disclosure.
Historical Pattern: PAN-OS as a Target
CVE-2026-0300 is the latest in a series of critical PAN-OS vulnerabilities that threat actors have moved to exploit rapidly after disclosure. In recent years, nation-state actors and ransomware groups alike have targeted Palo Alto firewalls as high-value initial access vectors. The combination of widespread enterprise deployment and privileged network positioning makes these devices perennial prime targets for sophisticated adversaries.
Recommended Actions
- Immediately audit all internet-facing Palo Alto firewalls for Authentication Portal exposure
- Apply Palo Alto’s recommended mitigations without waiting for patches
- Subscribe to Palo Alto Security Advisories for patch release notifications
- Conduct threat hunting for indicators of compromise on any exposed systems
- Escalate to incident response teams if anomalous activity is detected on firewall management interfaces
With patches not arriving until mid-to-late May, organizations face days to weeks of exposure. Acting now on the available mitigations is not optional — it is the only responsible course of action.