Palo Alto firewall zero day

Firewall bugs are always bad, but this is the version defenders hate most. A device that is supposed to sit at the edge and protect the network can itself(security.paloaltonetworks.com)is the shape of Palo Alto Networks’ new zero-day, CVE-2026-0300, which the company says has already been used in real attacks against PAN-OS firewalls. (security.paloaltonetworks.com) ### What exactly is broken? The flaw sits in PAN-OS’s User-ID Authentication Portal, also called Captive Portal. That fe(security.paloaltonetworks.com) before allowing access. Palo Alto says the bug is a buffer overflow in that service, and a remote attacker can send specially crafted packets to execute arbitrary code as root on affected PA-Series and VM-Series firewalls. (security.paloaltonetworks.com) ### Why is “root on the firewall” so serious? Because the firewall is not just another serv(security.paloaltonetworks.com)tacker owns that box, they can potentially tamper with rules, spy on traffic, create persistence, pivot deeper into the network, or blind defenders by altering what gets logged. The bug also needs no prior access and no credentials, which is why Palo Alto marked it critical with a CVSS score of 9.3. (security.paloaltonetworks.com) ### Is every Palo Alto firewall exposed? No(security.paloaltonetworks.com) are true: the User-ID Authentication Portal is enabled, and an interface management profile with response pages is tied to an external or otherwise untrusted interface. Prisma Access, Cloud NGFW, and Panorama are not affected. So this is not “every PAN-OS box on earth.” It is the subset with that portal reachable where attackers can hit it. (security.paloaltonetworks.com) ### Why are people calling it a zero-day? Becaus(security.paloaltonetworks.com)els the exploit maturity as “ATTACKED” and says the issue was discovered in production use. CISA also added CVE-2026-0300 to its Known Exploited Vulnerabilities catalog on May 6, which is the government’s way of saying this is not hypothetical anymore. (security.paloaltonetworks.com) ### Who is behind the attacks? Palo Alto’s Unit 42 says it is tracking the activity as CL-STA-1132 and assesses the cluster as likely (security.paloaltonetworks.com)but “limited” is not comforting here — edge-device zero-days often start with selective targeting before wider scanning and copycat exploitation kick in. (scworld.com) ### What can defenders do before patches arrive? The main move is to reduce exposure. Palo Alto says risk drops (security.paloaltonetworks.com)dresses. In plain English, do not leave this portal reachable from the public internet if you can avoid it. Teams also need to check whether the feature is enabled at all, identify any internet-facing interfaces with response pages turned on, and review devices for signs of compromise. (security.paloaltonetworks.com) #(scworld.com)ed for May 28, 2026, depending on the release train. That means some admins can patch soon, but others may have to lean on mitigations first. The affected and remediated versions are listed in Palo Alto’s advisory. (security.paloaltonetworks.com) ### Bottom line This is an edge-device zero-day with the worst combination of traits — unauthenticated, remote, root-level, and already exploited. The catch is that exposure depends on(security.paloaltonetworks.com)ble from untrusted networks, this moves to the top of the queue right now. (security.paloaltonetworks.com)