[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f6Xg6RBqu8Cv1oP6CD9aY3vEpc9ekkhoADd1H5zsKZlc":3},{"article":4,"iocs":52},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":31,"category":32,"article_tags":36},"eacdd4d1-108c-458f-b9d4-2ee9a99a7708","Palo Alto Networks Warns of Actively Exploited PAN-OS Zero-Day Granting Root Access","palo-alto-networks-warns-of-actively-exploited-pan-os-zero-day-granting-root-acc-3418ad","Palo Alto Networks warned customers today that a critical unpatched vulnerability in PAN-OS is being actively exploited in attacks targeting internet-exposed firewalls.","Palo Alto Networks disclosed CVE-2026-0300, a critical unpatched buffer overflow vulnerability in the User-ID Authentication Portal (Captive Portal) of PAN-OS affecting PA-Series and VM-Series firewalls. The flaw allows unauthenticated remote attackers to execute arbitrary code with root privileges on internet-exposed devices and is currently being actively exploited in the wild. Patches are expected May 13 and May 28, 2026; customers are advised to immediately restrict portal access to trusted IPs or disable it entirely.","Palo Alto Networks PAN-OS zero-day buffer overflow in User-ID Authentication Portal actively exploited for root access.","⚠ Zero-Day — Active Exploitation CVE CVE-2026-0300 CVSS 9.3 Critical Vector Network \u002F No Auth Patch Pending — May 13 Vulnerability Overview Palo Alto Networks warned customers today that a critical unpatched vulnerability in PAN-OS is being actively exploited in attacks targeting internet-exposed firewalls. Tracked as CVE-2026-0300, the flaw is a buffer overflow in the User-ID Authentication Portal (also known as the Captive Portal) service that allows an unauthenticated attacker to execute arbitrary code with root privileges on affected PA-Series and VM-Series firewalls. The vulnerability can be triggered remotely by sending specially crafted packets to the portal service. No credentials, user interaction, or prior access to the device is required. Palo Alto Networks describes the exploitation as automatable, and confirmed that limited exploitation has been observed targeting Authentication Portals exposed to untrusted IP addresses and the public internet. No patch is currently available. Palo Alto Networks plans to release the first round of hotfixes on May 13, 2026, with a second round expected around May 28. In the interim, the company is urging customers to restrict or disable the vulnerable portal immediately. Internet threat watchdog Shadowserver is currently tracking over 5,800 PAN-OS VM-series firewalls exposed online, with the majority located in Asia (2,466) and North America (1,998). CVE ID CVE-2026-0300 CVSS Score 9.3 — Critical Vulnerability Type Buffer Overflow (CWE-787) Attack Vector Network (Remote) Authentication None Required Privileges Gained Root Vendor Palo Alto Networks Affected Component User-ID Auth Portal (Captive Portal) Affected Products PA-Series, VM-Series Exploitation Status Active — In the Wild Exploit Maturity Attacked \u002F Automatable Patch Status Unpatched — ETA May 13 Technical Details CVE-2026-0300 is classified as an out-of-bounds write (CWE-787) in the User-ID Authentication Portal service within PAN-OS. This portal, also referred to as the Captive Portal, is used to identify unknown users by prompting them for credentials when the firewall cannot automatically map an IP address to a user identity. The vulnerability exists in the service's packet handling logic, where a buffer overflow can be triggered by sending specially crafted network packets. Because the overflow occurs in a pre-authentication code path, no credentials are needed to reach the vulnerable function. Successful exploitation overwrites memory in a way that allows the attacker to redirect execution flow and run arbitrary code. The service runs with root privileges on the underlying PAN-OS platform, meaning a successful exploit grants the attacker full root access to the firewall. The CVSS score varies depending on the exposure of the portal. When the Authentication Portal is accessible from the internet or any untrusted network, the score is 9.3 (Critical). When access is restricted to trusted internal IP addresses per Palo Alto's best practice guidelines, the score drops to 8.7. Prisma Access, Cloud NGFW, and Panorama appliances are not affected. No Patch Available — Zero-Day This vulnerability is currently unpatched. Palo Alto Networks is developing hotfixes with an estimated first release around May 13, 2026 and a second round around May 28. Organizations with exposed Authentication Portals should implement the workarounds described below immediately. For customers running PAN-OS 11.1 and above, Palo Alto has released an emergency Threat Prevention Signature to help block exploitation attempts. Affected Versions The vulnerability impacts multiple PAN-OS release trains. All versions listed below are vulnerable if the User-ID Authentication Portal is enabled. You can verify your configuration at Device → User Identification → Authentication Portal Settings → Enable Authentication Portal. PAN-OS Version Affected Before Fix ETA PAN-OS 12.1 \u003C 12.1.4-h5, \u003C 12.1.7 May 13 \u002F May 28 PAN-OS 11.2 \u003C 11.2.4-h17, \u003C 11.2.7-h13, \u003C 11.2.10-h6, \u003C 11.2.12 May 13 \u002F May 28 PAN-OS 11.1 \u003C 11.1.4-h33, \u003C 11.1.6-h32, \u003C 11.1.7-h6, \u003C 11.1.10-h25, \u003C 11.1.13-h5, \u003C 11.1.15 May 13 \u002F May 28 PAN-OS 10.2 \u003C 10.2.7-h34, \u003C 10.2.10-h36, \u003C 10.2.13-h21, \u003C 10.2.16-h7, \u003C 10.2.18-h6 May 13 \u002F May 28 PAN-OS 12.1 PAN-OS 11.2 PAN-OS 11.1 PAN-OS 10.2 Unpatched — Workarounds Only Recommendations Restrict access to the Authentication Portal immediately. Configure firewall policies to allow access to the User-ID Authentication Portal only from trusted internal IP addresses and zones. Do not leave this portal exposed to the internet or untrusted networks. Disable the portal if not required. If your organization does not actively use the User-ID Authentication Portal, disable it entirely via Device → User Identification → Authentication Portal Settings → Disable Authentication Portal. Apply Threat Prevention Signatures. For firewalls running PAN-OS 11.1 and above with an active Threat Prevention subscription, apply the emergency signature released by Palo Alto Networks to block known exploitation patterns. Monitor for indicators of compromise. Review firewall logs for unusual access patterns to the Authentication Portal, unexpected process executions, and connections to unknown external infrastructure. A compromised firewall running as root gives an attacker full visibility into network traffic. Apply patches as soon as they are available. The first round of hotfixes is expected around May 13, 2026. Subscribe to the Palo Alto Networks security advisory RSS feed to receive notifications when patches are published. Context Palo Alto Networks firewalls are among the most widely deployed perimeter security devices in enterprise environments. The combination of pre-authentication access, root-level code execution, and automatable exploitation makes CVE-2026-0300 an exceptionally dangerous vulnerability. As SOCRadar noted in its analysis, this vulnerability has the profile that advanced persistent threat groups and ransomware operators actively seek: a network edge device with pre-auth RCE that provides full visibility into traffic flows and lateral movement capability. This is not the first time Palo Alto Networks has faced critical exploitation of its firewall products. The Tenable vulnerability database rates CVE-2026-0300 at a base score of 10.0, the maximum possible. The CISA Known Exploited Vulnerabilities catalog currently includes 13 Palo Alto product vulnerabilities, though CVE-2026-0300 has not yet been added. Organizations that fail to implement workarounds before patches become available should expect a surge in exploitation attempts as awareness of the vulnerability spreads.","https:\u002F\u002Fdarkwebinformer.com\u002Fpalo-alto-networks-warns-of-actively-exploited-pan-os-zero-day-granting-root-access\u002F","https:\u002F\u002Fstorage.ghost.io\u002Fc\u002F6b\u002F16\u002F6b16ac9c-cd67-432f-b0f3-bbec941084ff\u002Fcontent\u002Fimages\u002F2026\u002F05\u002Fpalo_alto_networks.jpg","2026-05-06T15:41:13+00:00","2026-05-06T16:00:15.682+00:00",9,[18,21,24,26,28],{"name":19,"type":20},"Palo Alto Networks","vendor",{"name":22,"type":23},"PAN-OS","product",{"name":25,"type":23},"PA-Series Firewall",{"name":27,"type":23},"VM-Series Firewall",{"name":29,"type":30},"User-ID Authentication Portal (Captive Portal)","technology","574f766a-fb3f-487c-8d2c-0720ae75471b",{"id":31,"icon":33,"name":34,"slug":35},null,"Zero-day","zero-day",[37,42,47],{"category":38},{"id":39,"icon":33,"name":40,"slug":41},"80544778-fabb-4dcd-aa35-17492e5dcf4f","Vulnerabilities","vulnerabilities",{"category":43},{"id":44,"icon":33,"name":45,"slug":46},"c5eccf7c-abbc-4bd3-bbed-e6da5cba8e73","Incident Response","incident-response",{"category":48},{"id":49,"icon":33,"name":50,"slug":51},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[53],{"type":54,"value":55,"context":56},"cve","CVE-2026-0300","Critical buffer overflow in PAN-OS User-ID Authentication Portal, actively exploited, CVSS 9.3"]