Emerging Threats

Palo Alto Firewalls Targeted in Active Exploitation

Analyst 207||Source: GovInfoSecurity
Network equipment and cables surround a central firewall device in a data center.

5,821 internet-exposed VM-Series Palo Alto firewalls were counted by the Shadowserver Foundation on Wednesday, a concrete and alarming figure in a developing advisory about an unpatched, actively exploited vulnerability.

The vulnerability: CVE-2026-0300 and the User-ID captive portal

Palo Alto Networks has described a buffer overflow vulnerability in a captive portal feature it calls "User-ID" that is built into PAN-OS software. The company’s alert says the flaw — tracked as CVE-2026-0300 — “allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.” The portal in question is used to authenticate unknown users accessing an internal network.

Scope: affected PAN-OS versions and appliances that are not impacted

Palo Alto said the vulnerability exists in PAN-OS versions 12.1, 11.2, 11.1 and 10.2. The vendor also specified that “Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.” Shadowserver’s count of 5,821 internet-exposed VM-Series firewalls underscores the number of devices visible on the public internet that could be reached if the captive portal is exposed.

Observed exploitation, vendor timeline, and the absence of a patch

The company reported seeing “limited exploitation” in the wild, specifically against customers that had the portal exposed to the outside internet. Palo Alto Networks said customers would be able to block exploitation by upgrading to fully patched PAN-OS software — but emphasized that such patched software had not yet been released at the time of the advisory. The vendor outlined forthcoming PAN-OS versions that will fix the issue, with some scheduled for release on May 13 and the remainder on May 28.

Full technical details about how CVE-2026-0300 is being leveraged in attacks remain unclear in the public record, and no proof-of-concept exploit code is available.

Mitigations administrators can deploy immediately

Palo Alto Networks assigned the vulnerability a “critical” CVSS score of 9.3, reflecting that the flaw can be triggered by unauthenticated actors. The company said administrators “can greatly reduce the risk of exploitation,” lowering the CVSS to 8.7 — a high rating — by restricting User-ID Authentication Portal access to only trusted internal IP addresses and preventing its exposure to the internet. Palo Alto added that organizations may eliminate the risk entirely by disabling the User-ID Authentication Portal “if not required.”

Some administrators have reported discovering the captive portal enabled by default in their products, which increases the urgency of checking configurations until patches are available.

Technical perspective and attacker opportunity

Security practitioners quoted in the advisory stressed two competing realities. On one hand, “Buffer overflows are generally considered hard to exploit reliably,” said Daniel Bechenea, product security manager at Pentest-Tools.com. On the other hand, he noted the exploitability profile is concerning because of the “network attack vector, low complexity, no special conditions required, no user interaction” — a combination that “suggests that exploitation is more straightforward than the vulnerability class alone would imply.”

Beyond code execution on the device itself, the advisory highlights a strategic risk: compromise of an edge firewall gives an attacker visibility into and control over traffic before most other defenses see it. As the practical consequence, a root-level compromise of a perimeter device would allow an adversary to sit upstream of other monitoring and filtering controls.

How technologists, affected enterprises, and adversaries are likely to respond

  • Technologists and security teams: Expect immediate configuration audits. Teams will likely restrict or block external access to the User-ID Authentication Portal and, where feasible, disable the portal until the vendor’s patched PAN-OS releases are applied.
  • Affected enterprises and procurement leaders: Organizations running PAN-OS 12.1, 11.2, 11.1 or 10.2 must reconcile exposure: those with internet-facing VM- or PA-Series devices face the highest urgency, and those who discovered the portal enabled by default will need to update procurement and deployment checklists.
  • Adversaries and threat actors: With “limited exploitation” observed and no public proof-of-concept code available, opportunistic actors may attempt to test internet-exposed portals; the combination of network attack vector and low complexity could make such activity attractive to attackers willing to probe the exposed surface before patches ship.

The immediate record is clear: a high-severity, unauthenticated buffer overflow in a widely deployed captive-portal feature is being exploited at scale small enough to call “limited” but large enough to be measurable. Palo Alto Networks has promised patched PAN-OS releases in the coming weeks (May 13 and May 28 rollouts), and until those fixes are available the practical defense rests with configuration hardening and disabling the portal where it is unneeded. The unanswered operational question is whether exposure will drop fast enough — and whether exploit details will remain out of public view — before more devices are compromised.

Original reporting

Buffer OverflowEmerging ThreatsFirewallsArbitrary Code ExecutionCVE-2026-0300PAN-OSPalo AltoVM-SeriesUnauthenticated Exploitation
Related Intelligence

Continue Reading

Person typing on a keyboard with a blank laptop screen in front, face turned away.

Prinz Eugen Ransomware Targets Critical Files in Hands-On Attacks

Meet Prinz Eugen, a sneaky ransomware that uses hands-on tactics to target critical files, evading detection by deliberately leaving no ransom note behind. Its operators use stolen RDP credentials and remote monitoring tools to manually infiltrate and take control of systems.

Analyst 207
Financial sector setting with technology integration and cityscape in background.

Microsoft attributes Mastra AI supply chain attack to North Korean hackers Sapphire Sleet

Microsoft warns that a recent supply chain attack on the Mastra AI npm environment was carried out by Sapphire Sleet, a notorious North Korean hacking group known for targeting the financial sector. This latest incident is part of a larger pattern of attacks that exploit open-source distribution channels.

Analyst 207
WordPress dashboard screen with a highlighted API key field and a warning symbol nearby.

Hackers Exploit Gravity SMTP Plugin Bug to Expose API Keys

Malicious hackers are racing to exploit a vulnerability in the Gravity SMTP plugin, which has been installed on around 100,000 WordPress sites, to get their hands on sensitive API keys. Over 17 million exploit attempts have already been blocked by Wordfence, highlighting the urgent need for site owners to update to version 2.1.5.

Analyst 207
Rows of network equipment and devices on racks in a dimly lit, empty server room.

Credential Attacks Target Fortinet, Sophos, MSSQL Devices in Large-Scale Campaign

A large-scale password spraying and credential theft campaign, dubbed "FortiBleed," is targeting Fortinet devices, with attempts also seen against MSSQL services and Sophos devices, warns Unit 42. This coordinated attack has sparked concerns over widespread credential attacks.

Analyst 207