Skip to content
Tech News
← Back to articles

Palo Alto Networks warns of firewall RCE zero-day exploited in attacks

2026-05-06 | original
read original get Palo Alto Networks Firewall Security Kit → more articles
Why This Matters

The discovery of a critical zero-day vulnerability in Palo Alto Networks' PAN-OS firewalls highlights ongoing cybersecurity risks for organizations relying on these devices. Exploitation of this flaw could allow attackers to execute malicious code remotely, emphasizing the importance of timely patching and strict access controls to safeguard sensitive networks. This incident underscores the need for continuous vigilance and proactive security measures in the evolving threat landscape.

Key Takeaways

Palo Alto Networks warned customers today that a critical-severity unpatched vulnerability in the PAN-OS User-ID Authentication Portal is being exploited in attacks.

Also known as the Captive Portal, the User-ID Authentication Portal is a PAN-OS security feature that authenticates users whose identities cannot be automatically mapped by the firewall.

Tracked as CVE-2026-0300, this zero-day bug stems from a buffer overflow weakness that allows unauthenticated attackers to execute arbitrary code with root privileges on Internet-exposed PA-Series and VM-Series firewalls via specially crafted packets.

"Limited exploitation has been observed targeting Palo Alto Networks User-ID™ Authentication Portals that are exposed to untrusted IP addresses and/or the public internet," Palo Alto Networks said in a Wednesday advisory.

"Customers following standard security best practices, such as restricting sensitive portals to trusted internal networks are at a greatly reduced risk."

At the moment, Internet threat watchdog Shadowserver is tracking over 5,800 PAN-OS VM-series firewalls exposed online, most of them in Asia (2,466) and North America (1,998).

VM-series firewalls exposed online (Shadowserver)

​The company has also flagged the vulnerability as the highest possible severity and says that admins can quickly check whether their firewalls are configured to use the vulnerable service from the User-ID Authentication Portal Settings page, found under Device > User Identification > Authentication Portal Settings -> Enable Authentication Portal.

Palo Alto Networks is still working to address the zero-day, and until a patch is available, it "strongly" recommends that customers secure the User-ID Authentication Portal by restricting access to trusted zones only or disabling the portal if that's not possible.

PAN-OS firewalls have frequently been targeted in attacks, often exploiting zero-day security vulnerabilities. For instance, in November 2024, Shadowserver revealed that thousands of firewalls had been compromised (even though the company said the attacks impacted only "a very small number") in attacks that chained two PAN-OS firewall zero-days.

... continue reading

Explore topics: palo alto networks pan-os user-id authentication portal cve-2026-0300 vm-series
Related:
Microsoft Edge Stores Passwords in Process Memory, Posing Enterprise Risk
New Wall Street research touts our long-held view on AI and cybersecurity stocks
CVSS scored these two Palo Alto CVEs as manageable. Chained, they gave attackers root access to 13,000 devices.
New BlackFile extortion group linked to surge of vishing attacks
'Zealot' Shows What AI's Capable of in Staged Cloud Attack

© 2026 GoKawiil

About | Editorial Policy | Contact