Palo Alto firewall zero-day exploited

Firewalls are supposed to be the thing that keeps attackers out. That is exactly why this Palo Alto bug matters so much. CVE-2026-0300 is not some obscure admin-only issue — it is an unauthenticated buffer overflow in the PAN-OS User-ID Authentication Portal, also called Captive Portal, and Palo Alto says it is already being exploited in the wild. On exposed PA-Series and VM-Series firewalls, a remote attacker can send crafted packets and end up running code as root. (security.paloaltonetworks.com) ### What is the vulnerable piece? The vulnerable feature is the User-ID Authentication Portal. That is the web-facing component PAN-OS uses when the firewall cannot automatically map traffic to a user and needs the person to authenticate through a portal page. In other words, this is not the core packet filter by itself — it is an identity-related front end that can b(security.paloaltonetworks.com)ce. (security.paloaltonetworks.com) ### Why is “unauthenticated root RCE” the nightmare version? Because there are almost no brakes on it. “Unauthenticated” means the attacker does not need valid credentials. “Remote code execution” means they can make the firewall run their code. “Root” means highest privilege on the box. Put those together and the attacker is not just poking at the edge — they can pot(security.paloaltonetworks.com)ind it. (security.paloaltonetworks.com) ### Which systems are actually exposed? Not every Palo Alto product is in scope. Palo Alto says Prisma Access, Cloud NGFW, and Panorama are not affected. The issue applies to PA-Series and VM-Series firewalls running affected PAN-OS releases, but only when two conditions line up: the Authentication Portal is enabled, and an interface management profile with response p(security.paloaltonetworks.com) story — vulnerable code plus public reachability. (security.paloaltonetworks.com) ### What are attackers doing after they get in? Unit 42 says the observed activity is limited so far, but the post-exploitation behavior is ugly. The tracked cluster — CL-STA-1132, described as likely state-sponsored — used the bug to inject shellcode into an nginx worker process. After that came tunneling tools like EarthWorm and ReverseSocks5, Active Directory enume(security.paloaltonetworks.com)tion to cover tracks. That is not smash-and-grab behavior. It looks like quiet persistence and lateral movement. (unit42.paloaltonetworks.com) ### Why does the captive portal angle matter so much? Because organizations often think of these portals as convenience features, not as high-risk attack surfaces. But a public-facing authentication page on a firewall is basically a door cut into the perimeter appliance itself. If that door has a memory-corruption bug, the attacker does not need to beat the fir(unit42.paloaltonetworks.com)hed to the thing defenders trust most. (security.paloaltonetworks.com) ### Is there a patch yet? Palo Alto published the advisory on May 5 and updated it on May 7 with fixed-version targets and ETAs. Some remediated releases are slated for May 13 and others for May 28, depending on PAN-OS branch. Until then, Palo Alto’s advice is simple: restrict the Authentication Portal to trusted internal IPs or disable it if you cannot. (security.pa([security.paloaltonetworks.com) could exposure be? One public estimate flagged more than 5,800 internet-exposed VM-Series firewalls, with large concentrations in Asia and North America. That number is not a count of compromised systems, but it does show why defenders are taking this seriously. A bug like this does not need mass exploitation to become a major incident — it just needs a few reachable targets in the right environments. (bleepingcomputer.com) ### Bottom line The immediate lesson is blunt — treat public firewall portals as dangerous attack surface, not harmless plumbing. If the User-ID Authentication Portal is exposed, lock it down now, hunt for tunneling tools and wiped logs, and assume the firewall itself may be the initial foothold. (security.paloaltonetworks.com)