Palo Alto Networks has disclosed a critical vulnerability in multiple PAN-OS versions, tracked as CVE-2026-0300 (CVSS 9.3), that allows unauthenticated remote attackers to execute arbitrary code with root privileges on affected firewalls. The flaw is a buffer overflow vulnerability impacting the User-ID Authentication Portal service on PA-Series and VM-Series firewalls.
Palo Alto confirmed the vulnerability is being actively exploited in limited attacks, specifically targeting systems where the Authentication Portal is exposed to untrusted IP addresses or the public internet.
Palo Alto said fixes will begin rolling out starting May 13, with additional patches planned later in the month. Until patches are available, the company is advising organizations to restrict Authentication Portal access to trusted internal networks or disable the feature entirely if not required. Prisma Access, Cloud NGFW, and Panorama are not affected.
Underscoring how critical this is, the CISA has added the vulnerability to its KEV catalog May 6th.
Jacob Warner, Director of IT, Xcape, Inc.:
“The disclosure of CVE-2026-0300 is a sobering reminder that the network edge remains the highest-value target for state-sponsored espionage. By the time Palo Alto Networks released this advisory, the suspected threat actor CL-STA-1132 had already spent nearly a month refining their exploit, moving from failed attempts on April 9 to successful root RCE by mid-April. This is not a theoretical vulnerability; it is an active, surgical operation where attackers are using the firewall’s own nginx processes to drop tunneling tools like EarthWorm and ReverseSocks5.
“For leadership, the takeaway is that a “critical” CVSS score on a firewall often means the attacker is already behind your lines before the alert even fires. With patches not arriving until May 13, the only viable defense is immediate exposure reduction. If your User-ID Authentication Portal is reachable from the public Internet, you are essentially providing an unauthenticated root shell to anyone with the right packet sequence. You must audit your Interface Management Profiles now: restrict portal access to trusted internal zones and ensure that “Response Pages” are disabled on all Internet-facing interfaces. In 2026, if you aren’t actively shrinking your edge attack surface, you’re just waiting for the next zero-day to do it for you.
“This bug was a zero-day for 26 days before we even gave it a name. In the time it took us to get an advisory, the bad guys were already halfway through the Active Directory.”
Denis Calderone, CTO, Suzu Labs:
“This one is a little different from the management interface exposures we’ve been warning about with other edge devices like Fortinet, SonicWall, and Cisco. This vulnerability is in the User-ID Authentication Portal, which is the page users hit to authenticate through the firewall. In a lot of deployments, that portal is internet-exposed on purpose because that’s how it’s designed to work. That makes the mitigation more complicated than just “take it off the internet,” because for some organizations, it’s there for a reason.
“That said, there are a lot of environments where the exposure isn’t necessary. If your Authentication Portal is used for local captive portal authentication, guest WiFi, or BYOD segments, it only needs to be reachable from those specific interfaces. Restrict it to those zones and block everything else. If the portal serves branch offices or remote sites over SD-WAN or site-to-site tunnels, you can restrict access to known source IP ranges for those branches. You don’t need to open it to the entire internet just because some of your traffic originates externally.
“The harder scenario is organizations using the portal for VPN-less remote authentication, where users could be connecting from anywhere. You can’t restrict by source IP in that case. Those organizations need to look at migrating remote users to GlobalProtect or Prisma Access, both of which are not affected by this CVE. If that’s not possible before May 13, enable Threat ID 510019 if you have a Threat Prevention subscription on PAN-OS, and understand that you’re carrying real risk until the patch drops.
“Nation-state actors have had nearly a month with this one. They’ve been deploying tunneling tools and cleaning logs immediately after compromise. If your Authentication Portal has been internet-exposed, don’t just apply the workaround and move on. Assume compromise and hunt for it.”
Rajeev Raghunarayan, Head of GTM, Averlon:
“CVE-2026-0300 is an unusual situation: active exploitation confirmed, added to KEV, and for many systems there is no patch available yet. The only immediate option is to restrict the Authentication Portal to trusted internal zones or disable it entirely. The silver lining is that the vulnerable service is not enabled by default, and organizations following best practice by keeping the Authentication Portal restricted to trusted internal networks are at much lower risk.
“A perimeter firewall is a gateway into the environment. When the gateway is owned, access is owned. With root-level access on a perimeter control point, the concern is no longer just the vulnerable service itself, but the visibility, access, and control that position can provide into the systems behind it.
“Even for organizations that have already applied the workaround, the important question is what was potentially exposed during that window and what activity should now be treated as suspicious.”
Given how long this has been out there, and the fact that it is being exploited, this is a drop everything and patch now sort if thing. Which is of course the worst kind of situation to be in.
Related
This entry was posted on May 7, 2026 at 2:59 pm and is filed under Commentary with tags Palo Alto Networks. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Palo Alto warns of actively exploited PAN-OS firewall flaw
Palo Alto Networks has disclosed a critical vulnerability in multiple PAN-OS versions, tracked as CVE-2026-0300 (CVSS 9.3), that allows unauthenticated remote attackers to execute arbitrary code with root privileges on affected firewalls. The flaw is a buffer overflow vulnerability impacting the User-ID Authentication Portal service on PA-Series and VM-Series firewalls.
Palo Alto confirmed the vulnerability is being actively exploited in limited attacks, specifically targeting systems where the Authentication Portal is exposed to untrusted IP addresses or the public internet.
Palo Alto said fixes will begin rolling out starting May 13, with additional patches planned later in the month. Until patches are available, the company is advising organizations to restrict Authentication Portal access to trusted internal networks or disable the feature entirely if not required. Prisma Access, Cloud NGFW, and Panorama are not affected.
Underscoring how critical this is, the CISA has added the vulnerability to its KEV catalog May 6th.
Jacob Warner, Director of IT, Xcape, Inc.:
“The disclosure of CVE-2026-0300 is a sobering reminder that the network edge remains the highest-value target for state-sponsored espionage. By the time Palo Alto Networks released this advisory, the suspected threat actor CL-STA-1132 had already spent nearly a month refining their exploit, moving from failed attempts on April 9 to successful root RCE by mid-April. This is not a theoretical vulnerability; it is an active, surgical operation where attackers are using the firewall’s own nginx processes to drop tunneling tools like EarthWorm and ReverseSocks5.
“For leadership, the takeaway is that a “critical” CVSS score on a firewall often means the attacker is already behind your lines before the alert even fires. With patches not arriving until May 13, the only viable defense is immediate exposure reduction. If your User-ID Authentication Portal is reachable from the public Internet, you are essentially providing an unauthenticated root shell to anyone with the right packet sequence. You must audit your Interface Management Profiles now: restrict portal access to trusted internal zones and ensure that “Response Pages” are disabled on all Internet-facing interfaces. In 2026, if you aren’t actively shrinking your edge attack surface, you’re just waiting for the next zero-day to do it for you.
“This bug was a zero-day for 26 days before we even gave it a name. In the time it took us to get an advisory, the bad guys were already halfway through the Active Directory.”
Denis Calderone, CTO, Suzu Labs:
“This one is a little different from the management interface exposures we’ve been warning about with other edge devices like Fortinet, SonicWall, and Cisco. This vulnerability is in the User-ID Authentication Portal, which is the page users hit to authenticate through the firewall. In a lot of deployments, that portal is internet-exposed on purpose because that’s how it’s designed to work. That makes the mitigation more complicated than just “take it off the internet,” because for some organizations, it’s there for a reason.
“That said, there are a lot of environments where the exposure isn’t necessary. If your Authentication Portal is used for local captive portal authentication, guest WiFi, or BYOD segments, it only needs to be reachable from those specific interfaces. Restrict it to those zones and block everything else. If the portal serves branch offices or remote sites over SD-WAN or site-to-site tunnels, you can restrict access to known source IP ranges for those branches. You don’t need to open it to the entire internet just because some of your traffic originates externally.
“The harder scenario is organizations using the portal for VPN-less remote authentication, where users could be connecting from anywhere. You can’t restrict by source IP in that case. Those organizations need to look at migrating remote users to GlobalProtect or Prisma Access, both of which are not affected by this CVE. If that’s not possible before May 13, enable Threat ID 510019 if you have a Threat Prevention subscription on PAN-OS, and understand that you’re carrying real risk until the patch drops.
“Nation-state actors have had nearly a month with this one. They’ve been deploying tunneling tools and cleaning logs immediately after compromise. If your Authentication Portal has been internet-exposed, don’t just apply the workaround and move on. Assume compromise and hunt for it.”
Rajeev Raghunarayan, Head of GTM, Averlon:
“CVE-2026-0300 is an unusual situation: active exploitation confirmed, added to KEV, and for many systems there is no patch available yet. The only immediate option is to restrict the Authentication Portal to trusted internal zones or disable it entirely. The silver lining is that the vulnerable service is not enabled by default, and organizations following best practice by keeping the Authentication Portal restricted to trusted internal networks are at much lower risk.
“A perimeter firewall is a gateway into the environment. When the gateway is owned, access is owned. With root-level access on a perimeter control point, the concern is no longer just the vulnerable service itself, but the visibility, access, and control that position can provide into the systems behind it.
“Even for organizations that have already applied the workaround, the important question is what was potentially exposed during that window and what activity should now be treated as suspicious.”
Given how long this has been out there, and the fact that it is being exploited, this is a drop everything and patch now sort if thing. Which is of course the worst kind of situation to be in.
Share this:
Like this:
Related
This entry was posted on May 7, 2026 at 2:59 pm and is filed under Commentary with tags Palo Alto Networks. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.