Palo Alto Networks Warns of Firewall RCE Zero-Day Exploited in Attacks

PALO ALTO NETWORKS WARNS OF FIREWALL RCE ZERO-DAY EXPLOITED IN ATTACKS

Overview

• A critical, unpatched vulnerability in the PAN-OS User-ID Authentication Portal (also known as the Captive Portal) is being actively exploited in the wild.
• The flaw is tracked as CVE-2026-0300 and stems from a buffer overflow that allows unauthenticated attackers to execute arbitrary code with root privileges on internet-exposed PA-Series and VM-Series firewalls through specially crafted packets.
• Palo Alto Networks has urged customers to assess exposure, noting that exploitation has been observed in limited scenarios where the portal is reachable from untrusted or public Internet sources.
• While the vendor continues to work on a patch, the advisory emphasizes that restricting access to trusted networks greatly reduces risk.

Vulnerability Details

• Identifier and class: CVE-2026-0300, a zero-day buffer overflow vulnerability within the User-ID Authentication Portal.
• Impact: Unauthenticated remote code execution with root privileges on PAN-OS devices.
• Affected surface: The User-ID Authentication Portal, part of PAN-OS, used to map IP addresses to user identities for clients that cannot be automatically associated with a login.
• Severity and status: Rated as the highest possible severity; a patch is not yet available at the time of advisory.

Exploitation Landscape

• Observed activity: Limited exploitation attempts have been detected targeting portals exposed to untrusted IPs or the public Internet.
• Risk model: Systems that are accessible only via trusted internal networks face a greatly reduced risk, according to the advisory.
• Typical payloads: Attackers attempt to trigger the overflow through crafted network packets directed at the captive portal service to gain control over affected devices.

Exposure and Affected Deployments

• Global exposure: Shadowserver indicators show a substantial number of PAN-OS VM-Series firewalls exposed online.
• Device distribution: The majority of exposed devices are VM-Series, with notable concentrations in Asia and North America.
• Quantitative snapshot: Thousands of VM-Series deployments are publicly reachable, highlighting a broad potential attack surface for this zero-day.

Configuration and Verification

• How to determine if the portal is enabled: Access the PAN-OS configuration settings related to user identification and the authentication portal.
• Path to check: Device > User Identification > Authentication Portal Settings -> Enable Authentication Portal.
• What to look for: Whether the User-ID Authentication Portal is configured and reachable from networks that are not fully trusted or controlled.
• Additional context: Administrators should review network access controls and exposure of management interfaces to the Internet as part of the ongoing assessment, even though this section is focused on verification rather than remediation.

Historical Context and Related Incidents

• Prior PAN-OS zero-days: The ecosystem has a history of publicly exploited PAN-OS flaws, including high-profile campaigns that leveraged multiple vulnerabilities in succession.
• Notable campaigns: Earlier in 2024, vast numbers of firewalls were compromised through chained PAN-OS flaws, underscoring the persistent risk surface posed by internet-exposed firewall management and authentication endpoints.
• Ongoing risk pattern: The combination of zero-days and internet-facing management surfaces has repeatedly driven significant attacker interest in PAN-OS devices.

Impact on the Customer Base

• Reach of PAN-OS products: The technology is deployed across tens of thousands of organizations, including a significant share of large enterprise and financial sector customers.
• Adoption footprint: The platforms serve a broad international customer base, with coverage across major industries and critical infrastructure.

Technical Context and Security Posture

• Core takeaway: The combination of a zero-day vulnerability in a publicly exposed portal and the prevalence of internet-facing PAN-OS deployments creates a notable risk of remote code execution on affected devices.
• Practical implications: Enterprises relying on PAN-OS to enforce perimeters and access controls should prioritize visibility into which systems expose the User-ID Authentication Portal and assess external exposure levels.
• Observability cues: Security teams should monitor for unusual patterns in network traffic to the captive portal endpoints and verify whether any devices have shown signs of unusual or elevated privileges after exposure.

References and Source Context

• Security advisory: Official notification from PAN-OS regarding the CVE-2026-0300 vulnerability and its active exploitation in real-world scenarios.
• Exposure data: Public threat intelligence aggregators tracking internet-exposed PAN-OS devices and their geographic distribution.
• Related coverage: Prior reporting on PAN-OS zero-days and their use in broad attack campaigns, illustrating the historical context of this class of vulnerability.