"This vulnerability is specific to a limited number of customers with their User-ID Authentication Portal (Captive Portal) exposed to the public internet or untrusted IP addresses," a Palo Alto Networks spokesperson told CyberScoop.
The vulnerability: CVE-2026-0300 and what it can do
Palo Alto Networks says a critical memory corruption flaw — tracked as CVE-2026-0300 — affects the authentication portal in PAN-OS. The vendor reported the defect allows unauthenticated attackers to execute code with root privileges on PA-Series and VM-Series firewalls. The company assigned the issue a CVSS score of 9.3 and described the attack complexity as low.
Exposure in the wild and scale of potential targets
Palo Alto Networks acknowledged limited exploitation has been observed but did not disclose when or how it first learned of the activity, nor the earliest known exploitation dates. Shadowserver scans, cited in the advisory, found more than 5,800 publicly exposed VM-Series firewalls running PAN-OS as of Tuesday. It remains unknown how many of those instances have the User‑ID Authentication Portal restricted to trusted internal IP addresses or have disabled the feature entirely.
Palo Alto Networks’ response and patch timeline
The vendor said it has provided mitigation guidance and is working to release software fixes, with the first updates expected to be available on May 13. Palo Alto Networks emphasized the vulnerability does not impact Cloud NGFW or Panorama appliances. The company has not yet released a patch, published indicators of compromise, attributed the activity to a known threat group, or disclosed which types of organizations have been targeted or impacted.
Expert reactions and how the community is likely to respond
Benjamin Harris, CEO and founder of watchTowr, told CyberScoop Palo Alto Networks proactively alerted customers — a step he described as "the best they can do immediately" while noting such alerts also publicize the vulnerability. Harris said watchTowr expects attacks linked to the exploit to be "very limited."
Caitlin Condon, vice president of security research at VulnCheck, warned that community attention will likely accelerate detection and exploitation activity. "It’s likely rules will also start to fire in third-party organizations and honeypots shortly," she told CyberScoop, and added that with researcher and community eyes on the vulnerability "it’s likely that we’ll see public exploits and broader exploitation quickly, provided the issue isn’t prohibitively difficult to exploit."
The Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-0300 to its Known Exploited Vulnerabilities catalog on Wednesday, signaling federal recognition of active exploitation.
What this means for technologists, affected enterprises, and adversaries
- Technologists and security teams: Palo Alto has provided mitigation guidance and told customers to secure exposed authentication portals immediately; researchers also advise applying patches upon their release. Teams will be watching for the vendor’s May 13 updates and for any published indicators of compromise that Palo Alto has not yet released.
- Affected enterprises and procurement leaders: Organizations running PA‑Series or VM‑Series firewalls must determine whether their User‑ID Authentication Portal (Captive Portal) is exposed to the public internet or untrusted IP addresses and apply vendor mitigations now, then plan to deploy the forthcoming software fixes.
- Adversaries and threat actors: Public discussion and scanning by researchers make the vulnerability visible; experts expect detection rules and honeypot triggers to appear shortly and warn that public exploits and broader exploitation could follow quickly if the flaw is not difficult to weaponize.
Palo Alto Networks and its impacted customers remain the only parties reported to have observed exploitation so far. The coming days will show whether the limited exploitation reported by the vendor grows into broader campaigns once fixes or proof-of-concept code become public — and whether Palo Alto will publish indicators, attributions, or additional detail about affected organizations as defenders race to secure exposed portals.
Original story: https://cyberscoop.com/palo-alto-networks-pan-os-firewall-zero-day-vulnerability-exploited/
