State-Backed Hackers Hammer Palo Alto Firewall Zero-Day Before Patch Lands
Palo Alto Networks says the flaw allows unauthenticated attackers to run code as root on internet-exposed firewalls, and Shadowserver is tracking over 5,800 exposed devices.
- Palo Alto Networks warned on Wednesday that a critical-severity unpatched vulnerability, CVE-2026-0300, is being exploited in attacks targeting the PAN-OS User-ID Authentication Portal.
- The zero-day bug stems from a buffer overflow weakness allowing unauthenticated attackers to execute arbitrary code with root privileges on Internet-exposed PA-Series and VM-Series firewalls via specially crafted packets.
- Internet threat watchdog Shadowserver is tracking over 5,800 PAN-OS VM-series firewalls exposed online, with 2,466 located in Asia and 1,998 in North America.
- Palo Alto Networks is working on a patch and until available, "strongly" recommends customers secure the User-ID Authentication Portal by restricting access to trusted zones only or disabling it.
- "Customers following standard security best practices, such as restricting sensitive portals to trusted internal networks are at a greatly reduced risk," the company stated regarding exposure mitigation.
17 Articles
17 Articles
State-backed hackers hammer Palo Alto firewall zero-day before patch lands
State-backed hackers have been quietly exploiting a fresh zero-day in Palo Alto Networks firewalls to gain root access with no login required. The flaw, tracked as CVE-2026-0300 and carrying a CVSS severity rating of 9.3, affects the Captive Portal feature in PAN-OS on PA-Series and VM-Series firewalls. Palo Alto said the issue stems from a memory corruption bug in the User-ID Authentication Portal, a feature used to handle logins for users the …
A critical Palo Alto PAN-OS zero-day is being exploited in the wild
Attackers are actively exploiting a zero-day vulnerability affecting some Palo Alto Networks’ customers’ firewalls, the security vendor said in an advisory Tuesday. The critical memory corruption vulnerability — CVE-2026-0300 — affects the authentication portal of PAN-OS, and allows unauthenticated attackers to run code with root privileges on the vendor’s PA-Series and VM-Series firewalls, the company said. Palo Alto Networks did not say when …
Palo Alto Networks Firewall Zero-Day RCE Vulnerability Exploited in the Wild Since April
A critical zero-day vulnerability in Palo Alto Networks PAN-OS software has been actively exploited by a likely state-sponsored threat actor since at least April 2026, the company revealed in a security advisory published on May 6, 2026. Tracked as CVE-2026-0300, the flaw is a buffer overflow vulnerability residing in the User-ID Authentication Portal, also known as the Captive Portal service of PAN-OS, and it allows an unauthenticated remote at…
Palo Alto Networks confirms that the critical vulnerability CVE-2026-0300 (CVSS 9.3) in PAN-OS is under active attack, allowing remote execution of code without authentication. The company has issued an urgent warning after detecting actual exploitation, mainly against firewalls PA-Series and VM-Series with the User-ID authentication portal exposed to the Internet. Patches will not arrive until May 13 — as soon as possible — and, meanwhile, any …
Coverage Details
Bias Distribution
- 100% of the sources are Center
Factuality
To view factuality data please Upgrade to Premium
