Palo Alto Networks [CVE-2026-0300] Zero-Day Actively Exploited in Targeted Attacks
A critical zero-day vulnerability, identified as CVE-2026-0300, is under active, limited exploitation in Palo Alto Networks' PAN-OS software, specifically targeting PA and VM series firewalls with exposed User-ID Authentication Portals. This buffer overflow vulnerability allows unauthenticated attackers to achieve root-level code execution by sending specially crafted packets, as confirmed by Palo Alto Networks here. The limited nature of the attacks points to sophisticated, potentially state-sponsored threat actors leveraging this flaw against critical network infrastructure.
What Happened
Palo Alto Networks disclosed a zero-day vulnerability, CVE-2026-0300, affecting the User-ID Authentication Portal (Captive Portal) service in their PA and VM series firewalls. This buffer overflow permits unauthenticated remote code execution with root privileges, according to Palo Alto Networks here. Exploitation has been observed in the wild, described as "limited," targeting User-ID Authentication Portals exposed to untrusted IP addresses or the public internet. The first round of patches is expected around May 13, 2026, with a second round projected for May 28, 2026, Palo Alto Networks reports here. CISA has not yet added CVE-2026-0300 to its Known Exploited Vulnerabilities (KEV) catalog but is likely to do so soon, per their advisory here.
Why It Matters
This Palo Alto Zero-Day matters due to the critical nature of the affected devices and the confirmed active exploitation. Firewalls are the bedrock of network perimeter defense; a zero-day allowing root-level code execution on these appliances grants attackers deep access and control. The targeted nature of the attacks suggests state-sponsored groups or advanced persistent threats (APTs) are involved, aiming for high-value targets. Organizations using PA and VM series firewalls with exposed User-ID Authentication Portals are at immediate risk. Other Palo Alto Networks products like Prisma Access and Cloud NGFW are not affected, limiting the immediate scope but not the severity for those impacted. Restricting access to the User-ID Authentication Portal to trusted internal IPs is the primary mitigation until patches are available. Implementing Cloudflare Zero Trust for external access to management interfaces could also add a layer of defense.
Technical Breakdown
CVE-2026-0300 is a buffer overflow vulnerability within the User-ID Authentication Portal service. When specially crafted packets are sent to a vulnerable firewall, they can trigger an overflow, allowing arbitrary code execution with root privileges. Imagine trying to pour a gallon of water into a pint glass; eventually, the glass overflows, and anything beyond its capacity spills out. In this case, the "water" is malicious code, and the "spill" is the execution of that code outside its intended buffer. This direct, unauthenticated attack against an internet-facing service bypasses typical authentication mechanisms.
The attack would likely map to MITRE ATT&CK technique T1190 (Exploit Public-Facing Application). The unauthenticated nature of the exploit and its direct impact on a network perimeter device mean initial access is gained by exploiting the firewall itself, rather than through phishing or supply chain compromise. The subsequent privilege escalation to root on the device means the attacker then controls the firewall completely. Security teams need to enforce NIST SP 800-53 control SC-7 Boundary Protection by ensuring strict ingress/egress filtering and restricting access to administrative interfaces like the User-ID Authentication Portal. This control aims to prevent unauthorized traffic from crossing network boundaries.
Historical Context
This incident echoes the Pulse Connect Secure VPN zero-day vulnerability (CVE-2021-22893) discovered in April 2021. That flaw, like CVE-2026-0300, was a critical remote code execution vulnerability in a widely adopted network appliance. It also saw active, targeted exploitation by suspected state-sponsored actors, including Chinese APT groups, for initial access to corporate and government networks.
The key similarity is the targeting of an internet-facing network device, granting attackers a direct foothold. However, the Pulse Secure vulnerability often involved chained exploits and credential theft (mapping to T1003 OS Credential Dumping), whereas CVE-2026-0300 is a direct unauthenticated root code execution, potentially simpler to exploit without prior authentication bypasses. Both demonstrate the high value APTs place on exploiting perimeter network infrastructure for long-term persistence and lateral movement.
Data at a Glance
| Metric | Value | Source |
|---|---|---|
| Vulnerability ID | CVE-2026-0300 | NVD |
| Affected Products | PA and VM series | Palo Alto Networks |
| First Patch Availability | 13 May, 2026 | The Hacker News |
| Second Patch Availability | 28 May, 2026 | The Hacker News |
| Exploitation Nature | Limited/Targeted | SecurityWeek |
Our Take
We're looking at a serious situation. Any zero-day affecting network firewalls is a P1 for immediate remediation, but the limited and targeted nature here means this isn't a widespread opportunistic attack; it's specific adversaries going after specific targets. That implies pre-existing reconnaissance and high-value objectives. Prioritizing segmentation and strict access controls on the User-ID Authentication Portal—only allowing trusted internal IPs—is the most crucial immediate step. Waiting for a patch when active exploitation is confirmed is not an option for exposed systems. Our teams should be leveraging their SentinelOne agents to monitor for anomalous activity around these interfaces, especially unexpected process creation or outbound connections from the firewall itself, as the patch deployment process rolls out.
The CVEDaily Take
The confirmed active exploitation of CVE-2026-0300 in Palo Alto Networks' critical firewall infrastructure should trigger immediate incident response protocols for any exposed User-ID Authentication Portals. The likely involvement of state-sponsored actors underscores the strategic value of these targets. Have you confirmed that your PA and VM series firewalls with User-ID Authentication Portals are strictly limited to trusted internal IP addresses, or are any exposed to untrusted networks?
FAQ
Q: Which Palo Alto Networks products are specifically affected by CVE-2026-0300?
A: Only Palo Alto Networks' PA and VM series firewalls configured with the User-ID Authentication Portal are susceptible to CVE-2026-0300. Other products like Prisma Access, Cloud NGFW, and Panorama appliances are not affected.
Q: What is the primary mitigation strategy for CVE-2026-0300 until patches are released?
A: The most effective immediate mitigation is to restrict access to the User-ID Authentication Portal service to only trusted internal IP addresses, preventing untrusted external access, as advised by Palo Alto Networks here.
Q: When are patches expected for CVE-2026-0300?
A: Palo Alto Networks anticipates releasing the first round of patches on May 13, 2026, with a second round of fixes estimated to be available around May 28, 2026, according to The Hacker News here.
