What happened
Palo Alto Networks has disclosed a critical unpatched vulnerability in the PAN-OS User-ID Authentication Portal, tracked as CVE-2026-0300, that is being actively exploited in attacks against internet-exposed PA-Series and VM-Series firewalls. The company confirmed limited exploitation has been observed and said the first software fixes are expected on May 13, 2026.
The zero-day stems from a buffer overflow weakness that allows unauthenticated attackers to execute arbitrary code with root privileges by sending specially crafted packets to firewalls with the User-ID Authentication Portal exposed to untrusted IP addresses or the public internet. Palo Alto Networks has rated the vulnerability at the highest possible severity. Shadowserver is currently tracking over 5,800 PAN-OS VM-Series firewalls exposed online, with the largest concentrations in Asia at 2,466 and North America at 1,998.
Until a patch is available, Palo Alto Networks strongly recommends restricting the User-ID Authentication Portal to trusted internal zones only, or disabling it entirely if restriction is not possible. Administrators can check whether the vulnerable service is enabled under Device > User Identification > Authentication Portal Settings. The vulnerability does not affect Cloud NGFW or Panorama appliances.
PAN-OS firewalls have been targeted repeatedly in recent months. In November 2024, thousands of firewalls were compromised through chained zero-days. In December, attackers exploited a DoS flaw to force reboots and disable firewall protections. In February, three additional PAN-OS flaws were used to compromise internet-facing management interfaces.
Who is affected
Organizations running PA-Series or VM-Series firewalls with the User-ID Authentication Portal exposed to untrusted networks or the public internet are directly at risk. Palo Alto Networks products are used by more than 70,000 customers worldwide, including 90% of Fortune 10 companies and most of the largest US banks. Customers with the portal restricted to trusted internal networks face significantly reduced risk.
Why CISOs should care
This is the fourth significant PAN-OS exploitation campaign in under six months, establishing a clear and consistent pattern of state-sponsored and criminal actors actively hunting for and weaponizing PAN-OS vulnerabilities. A buffer overflow that delivers unauthenticated root-level code execution on a network security device is among the most severe possible vulnerability classes. With over 5,800 instances exposed and active exploitation confirmed, the window between disclosure and broad opportunistic exploitation is narrow.
The absence of a patch until May 13 means the mitigation guidance is the only available defense for the next week.
3 practical actions
- Immediately restrict the User-ID Authentication Portal to trusted internal zones or disable it: This is the only available mitigation until patches arrive on May 13. Verify portal status under Device > User Identification > Authentication Portal Settings and act immediately on any instance with public internet or untrusted network exposure.
- Audit all internet-facing PAN-OS firewall configurations for unnecessary service exposure: The repeated exploitation of PAN-OS vulnerabilities through internet-exposed management and authentication interfaces points to a systemic configuration risk. Conduct a full audit of which PAN-OS services are accessible from untrusted networks and apply the principle of least exposure across all management, authentication, and monitoring interfaces.
- Prioritize May 13 patch deployment and establish rollout readiness now: With a confirmed patch date, prepare your change management and deployment processes to apply the fix as soon as it becomes available. Given the active exploitation and the pattern of rapid widening in PAN-OS attack campaigns, treating May 13 as an emergency patch deployment rather than a scheduled update is warranted.
Also in the news today:
-
- CMS Provider Directory Database Found Leaking Healthcare Providers’ Social Security Numbers
- RXNT Healthcare Software Breach Exposes Patient Data Across Multiple Provider Clients
- CISA Launches CI Fortify to Prepare Critical Infrastructure for Geopolitical Cyber Conflict
- Mirai-Based xlabs_v1 Botnet Exploits Android Debug Bridge to Hijack IoT Devices
- Cisco Releases Fix for DoS Flaw That Requires Manual Reboot to Recover
- MuddyWater Hackers Use Chaos Ransomware as a Decoy in Espionage Attacks
