Cybersecurity

PAN-OS Authentication Portal Zero-Day (CVE-2026-0300) Under Active State-Sponsored Exploitation โ€” No Patch Available

Summary

A critical buffer overflow vulnerability in Palo Alto Networks PAN-OS, tracked as CVE-2026-0300 (CVSSv4 9.3), is being actively exploited by a suspected state-sponsored threat cluster designated CL-STA-1132. The flaw affects the User-ID Authentication Portal (Captive Portal) on PA-Series and VM-Series firewalls, allowing unauthenticated remote attackers to achieve root-level code execution by sending specially crafted packets.

CISA has added CVE-2026-0300 to its Known Exploited Vulnerabilities (KEV) catalog. Unsuccessful exploitation attempts were observed as early as April 9, 2026, with successful remote code execution achieved approximately one week later. Attackers have been observed injecting shellcode into Nginx worker processes and actively covering their tracks by clearing crash kernel messages and deleting crash files.

No patches are currently available. Palo Alto Networks has published workarounds including restricting portal access to trusted IPs, disabling the feature if not needed, and enabling Threat ID 510019 via Advanced Threat Prevention. Fixed PAN-OS versions are expected to begin rolling out around May 13, 2026.

Source

๐Ÿ“ฐ The Hacker News ยท Palo Alto Networks Advisory ยท Rapid7

Commentary

Another day, another Palo Alto Networks zero-day under active exploitation with no patch available. At this point, the pattern is becoming a trend: PAN-OS vulnerabilities with pre-auth RCE and nation-state exploitation before fixes ship. If your Authentication Portal is exposed to the internet, the workaround guidance isn’t optional โ€” it’s an emergency.

The attribution to a state-sponsored cluster and the sophistication of the post-exploitation (shellcode injection into Nginx workers, forensic anti-analysis) suggest this isn’t opportunistic. Organizations running PA-Series or VM-Series firewalls should audit their exposure immediately and apply the recommended mitigations before the expected May 13 patch window.

Related Posts

You May Have Missed

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by