Palo Alto Networks PAN-OS Zero-Day (CVE-2026-0300) Actively Exploited — Root-Level RCE with No Patch Available

What Happened

Palo Alto Networks has confirmed that a critical zero-day vulnerability in its PAN-OS software is being actively exploited in the wild. Tracked as CVE-2026-0300, the flaw is a buffer overflow in the User-ID Authentication Portal (Captive Portal) service that allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls.

The vulnerability can be triggered by sending specially crafted packets to the authentication portal. Palo Alto Networks acknowledged that “limited exploitation has been observed targeting User-ID Authentication Portals exposed to untrusted IP addresses and/or the public internet,” and noted that exploitation is automatable — meaning mass scanning and exploitation is likely already underway or imminent.

Critically, no patch is available yet. The first round of fixes is expected around May 13, with a second wave around May 28. Prisma Access, Cloud NGFW, and Panorama appliances are not affected.

Source

Help Net Security — Root-level RCE vulnerability in Palo Alto firewalls exploited (CVE-2026-0300)

Palo Alto Networks Security Advisory

Why This Matters

Palo Alto firewalls are ubiquitous in enterprise networks. A pre-auth RCE at root privilege with no patch available is about as bad as it gets. The fact that exploitation is automatable means the window between now and May 13 is extremely dangerous for anyone running exposed User-ID portals.

If you’re running PA-Series or VM-Series firewalls, the immediate mitigation is to restrict access to the authentication portal to trusted internal networks only, or disable it entirely if not required. Standard perimeter hygiene — not exposing management interfaces to the internet — would have prevented most of the observed exploitation. Yet again, the basics prove to be the most important defense.