Palo Alto Networks warns of firewall RCE zero-day exploited in attacks

Source: Bleeping Computer

Vulnerability Details

Palo Alto Networks warned customers that a critical‑severity, unpatched vulnerability in the PAN‑OS User‑ID Authentication Portal (also known as the Captive Portal) is being exploited in the wild.

• Feature affected: PAN‑OS User‑ID Authentication Portal – authenticates users whose identities cannot be automatically mapped by the firewall.
• CVE: CVE‑2026‑0300
• Root cause: Buffer overflow that allows unauthenticated attackers to execute arbitrary code with root privileges on Internet‑exposed PA‑Series and VM‑Series firewalls via specially crafted packets.

Palo Alto Networks stated in its advisory that “limited exploitation has been observed targeting Palo Alto Networks User‑ID™ Authentication Portals that are exposed to untrusted IP addresses and/or the public internet.” Customers that restrict the portal to trusted internal networks are at a greatly reduced risk.

Exploitation and Impact

• Exposure: Shadowserver is tracking over 5,800 PAN‑OS VM‑Series firewalls exposed online, with the majority located in Asia (2,466) and North America (1,998).

  
  VM‑Series firewalls exposed online (Shadowserver)

• The vulnerability has been flagged as the highest possible severity. Administrators can verify whether their firewalls are using the vulnerable service from the User‑ID Authentication Portal Settings page (Device → User Identification → Authentication Portal Settings → Enable Authentication Portal).

Mitigation Recommendations

Until a patch is released, Palo Alto Networks strongly recommends:

1. Restrict access to the User‑ID Authentication Portal to trusted zones only.
2. Disable the portal entirely if it cannot be securely limited to internal networks.

These steps reduce the attack surface for unauthenticated exploitation.

Historical Context

PAN‑OS firewalls have been frequent targets for zero‑day attacks:

• November 2024: Shadowserver reported thousands of compromised firewalls, noting that attackers chained two PAN‑OS zero‑day vulnerabilities.
• December 2024: A separate PAN‑OS DoS flaw was exploited to force PA‑Series, VM‑Series, and CN‑Series firewalls to reboot, disabling protection.
• February 2025: Attackers leveraged three additional PAN‑OS flaws to compromise firewalls with Internet‑facing management interfaces.

These incidents illustrate a pattern of rapid exploitation of newly disclosed vulnerabilities in Palo Alto Networks products.

Palo Alto Networks Reach

Palo Alto Networks states that its products and services are used by more than 70,000 customers worldwide, including 90 % of Fortune 10 companies and the majority of the largest U.S. banks.