Palo Alto issues emergency PAN‑OS patches; responders urge immediate updates

Firewalls are supposed to be the thing standing between your network and everyone else. That is why this Palo Alto PAN-OS bug landed so hard. CVE-2026-0300 is not a fussy edge case — it is an unauthenticated remote-code-execution flaw in a firewall feature, and successful exploitation can give an attacker root on the box itself. Palo Alto disclosed active exploitation on May 5, CISA added it to the KEV list on May 6, and Palo Alto’s advisory now maps out fixed PAN-OS builds customers need to move to fast. ### What is the vulnerable thing here? The bug sits in the User-ID Authentication Portal — also called Captive Portal — inside PAN-OS. That portal is used to identify or authenticate users on the network. Palo Alto says the flaw is a buffer overflow that lets an unauthenticated attacker send crafted packets and execute code with root privileges on PA-Series and VM-Series firewalls. Prisma Access, Cloud NGFW, and Panorama are not affected. (security.paloaltonetworks.com) ### Why is root on a firewall such a big deal? Because a firewall is not just another server. It sees traffic, enforces policy, and often sits in the middle of sensitive paths between users, apps, and internal systems. Root on that device can mean traffic visibility, policy tampering, stealthy persistence, and a launch point for moving deeper into the network. Basically, if the guard booth gets taken over, the rest of the compound gets a lot harder to trust. This last part is an inference from the role of the device and the post-compromise activity Palo Alto described. (security.paloaltonetworks.com) ### Which systems are actually exposed? Not every PAN-OS deployment is vulnerable in practice. Palo Alto says two conditions have to be true: the User-ID Authentication Portal must be enabled, and a management interface profile with response pages enabled must be attached to an L3 interface where untrusted or internet traffic can reach it. That is why the immediate advice before patching was to restrict access to trusted internal IPs or disable the portal if that was not possible. (security.paloaltonetworks.com) ### What did attackers do with it? Unit 42 says exploitation tied to a cluster it calls CL-STA-1132 started with unsuccessful attempts on April 9, 2026. About a week later, the actor achieved RCE, injected shellcode, and then cleaned up logs to reduce detection. Reporting on the incident chain says the attackers also deployed Earthworm and ReverseSocks5 tunneling tools — the kind of tooling you use when the goal is quiet access and lateral movement, not smash-and-grab disruption. (security.paloaltonetworks.com) ### What changed now? The big shift is that this is no longer just “mitigate and wait.” Palo Alto’s advisory lists patched target versions across affected release trains, with some fixes slated for May 13 and others for May 28 depending on branch. So responders now have a concrete upgrade path, not just exposure reduction steps. ### Why did CISA’s move matter? KEV inclusion changes the tempo. Once CISA adds a bug to the Known Exploited Vulnerabilities catalog, federal agencies get a remediation clock, and everyone else gets a very clear signal that this is not theoretical. (bleepingcomputer.com) CISA’s language is blunt — active exploitation, significant risk, prioritize remediation. ### What should defenders do first? (security.paloaltonetworks.com) First, find every firewall with the Authentication Portal enabled and exposed to untrusted networks. Then restrict that access immediately or disable the feature, review logs and crash artifacts for signs of exploitation, and move to Palo Alto’s fixed builds as soon as the right branch is available. The catch is that edge-device compromises can erase their own traces, so absence of obvious logs should not be mistaken for safety. (cisa.gov) ### Bottom line This is the ugly version of a firewall bug — internet reachable, no login required, root on success, and real attackers already using it. If you run affected PAN-OS builds with Captive Portal exposed, this is a patch-now problem, not a next-maintenance-window problem. (security.paloaltonetworks.com)