Attackers are already exploiting a critical zero-day vulnerability in Palo Alto Networks' PAN-OS, the operating system powering the company's widely deployed enterprise firewalls — and patches won't arrive until May 13 at the earliest.
The flaw, tracked as CVE-2026-0300, is a buffer overflow in the User-ID Authentication Portal — also known as the Captive Portal — a PAN-OS feature that authenticates users when the firewall cannot automatically map an IP address to a known identity. The vulnerability carries a CVSS 4.0 score of 9.3, placing it firmly in the Critical tier.
The zero-day allows unauthenticated attackers to execute arbitrary code with root privileges on internet-exposed PA-Series and VM-Series firewalls by sending specially crafted network packets. In plain terms: no login, no credentials, full ownership of the firewall.
In-Wild Exploitation
Palo Alto Networks confirmed in its advisory that "limited exploitation has been observed targeting Palo Alto Networks User-ID Authentication Portals that are exposed to untrusted IP addresses and/or the public internet." In the threat intelligence community, "limited exploitation" is typically code for highly targeted attacks — often the calling card of nation-state actors probing high-value networks.
Internet threat watchdog Shadowserver is currently tracking over 5,800 PAN-OS VM-Series firewalls exposed online, with the largest concentrations in Asia (2,466 devices) and North America (1,998). Every one of those devices is a potential target if the Captive Portal is enabled and reachable from the internet.
The vulnerability has already reached the "ATTACKED" stage in exploit maturity, and Palo Alto has confirmed that exploitation of CVE-2026-0300 is automatable — meaning threat actors can script and scale attacks without manual intervention.
What Makes This Particularly Dangerous
The flaw is rooted in CWE-787 (Out-of-bounds Write), a class of memory corruption bugs that allow attackers to overwrite adjacent memory and redirect program execution. Because the Authentication Portal is a network-facing service, no user interaction is required — an attacker anywhere on the internet can trigger the exploit if the portal is left exposed.
Prisma Access, Cloud NGFW, and Panorama appliances are not impacted by this vulnerability. The risk is confined strictly to PA-Series and VM-Series hardware and virtual firewalls with the User-ID Authentication Portal switched on.
Patches Coming in Waves
Patches are rolling out in a staggered schedule between May 13 and May 28, 2026, depending on the PAN-OS branch. Additionally, Palo Alto released a Threat Prevention Signature for PAN-OS 11.1 and above starting May 5, 2026, which can detect and block exploitation attempts.
CISA's Known Exploited Vulnerabilities catalog currently includes 13 Palo Alto product vulnerabilities, but CVE-2026-0300 has not yet been added — an addition that may well come soon, given confirmed in-the-wild exploitation. Given that Palo Alto Networks' products are used by over 70,000 customers worldwide, including 90% of Fortune 10 companies, the blast radius of widespread exploitation would be enormous.
What Administrators Should Do Right Now
Patches aren't here yet, but mitigation options exist. Palo Alto recommends one of two immediate actions:
- Restrict access to the User-ID Authentication Portal to trusted internal IP addresses only — eliminating internet exposure entirely.
- Disable the Authentication Portal outright if your organization doesn't actively use it.
Administrators should verify their exposure status by navigating to Device → User Identification → Authentication Portal Settings → Enable Authentication Portal in the PAN-OS management interface. If that setting is enabled and the portal is reachable from an untrusted network, treat it as a live incident-in-waiting.
Apply the Threat Prevention Signature update immediately (via Device → Dynamic Updates) and schedule patching to the fixed PAN-OS versions the moment they become available on May 13.