The issue affects the User-ID Authentication Portal, also known as the Captive Portal service, and stems from an out-of-bounds write weakness classified as CWE-787.
According to the vulnerability record, an unauthenticated attacker can send specially crafted packets to trigger arbitrary code execution with root privileges on PA-Series and VM-Series firewalls.
The warning is significant because PAN-OS firewalls often sit at the edge of enterprise networks and process large volumes of sensitive traffic.
A successful exploit could allow a remote attacker to take over the security appliance itself, potentially bypassing perimeter defenses, modifying traffic rules, intercepting network activity, or using the compromised device as a foothold for deeper intrusion.
Because the flaw requires no authentication, the attack path is especially dangerous in environments where the Captive Portal service is exposed to untrusted networks.
CISA added the vulnerability to the KEV catalog on May 6, 2026, and ordered Federal Civilian Executive Branch agencies to address it by May 9, 2026, under Binding Operational Directive 22-01text{22-01}22-01.
While CISA has not publicly shared detailed exploitation chains or attribution, inclusion in the KEV list means there is reliable evidence that threat actors are already abusing the bug in real-world attacks.
The agency has not yet said whether the flaw is tied to ransomware operations, listing that status as unknown.
Palo Alto Networks described the issue as an out-of-bounds write in the PAN-OS User-ID Authentication Portal service. In simple terms, the vulnerable component can improperly write data outside expected memory boundaries when it receives malicious network input.
That memory corruption can then be weaponized to run attacker-controlled code as the root user, which is the highest privilege level on the system. In practice, that means an attacker could fully control the firewall operating system.
Security teams should pay close attention to internet-facing deployments, especially appliances where Captive Portal is enabled for guest access, authentication flows, or identity-based policy enforcement.
Even if organizations do not believe the service is widely used, any exposed authentication portal can become a high-value entry point.
Since firewalls are trusted infrastructure, a compromise may also be harder to detect than a traditional endpoint breach.
Until an official security fix is released, CISA is urging organizations to follow vendor instructions and immediately reduce exposure.
The agency’s recommended workaround is to restrict User-ID Authentication Portal access to trusted zones only and disable the feature entirely if it is not required.
For cloud environments, defenders should also follow applicable BOD 22-01text{BOD 22-01}BOD 22-01 guidance. If mitigations cannot be applied, CISA advises discontinuing use of the vulnerable product until protections are available.
Organizations using Palo Alto PA-Series or VM-Series firewalls should also review firewall logs, management access records, and configuration changes for signs of suspicious activity.
Particular attention should be given to unexpected portal traffic, unexplained rule modifications, new administrative behavior, or signs that the device may have executed unauthorized processes.
Because exploitation grants root access, incident responders should treat confirmed compromise as a full device takeover and consider credential rotation, policy review, and broader network hunting.
The disclosure highlights a recurring security concern: when edge appliances contain remotely exploitable memory corruption flaws, attackers can turn defensive infrastructure into an offensive platform.
For defenders, the immediate priority is to clearly limit exposure, disable the vulnerable service where possible, and monitor closely until Palo Alto Networks releases a formal patch.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Critical Palo Alto Networks PAN-OS Vulnerability Exploited to Gain Root Access appeared first on Cyber Security News.
CISA has issued an urgent warning regarding a critical vulnerability in Palo Alto Networks PAN-OS.…
CISA has issued an urgent warning regarding a critical vulnerability in Palo Alto Networks PAN-OS.…
Cisco has issued a critical security advisory regarding a high-severity vulnerability impacting its Crosswork Network…
Cisco has issued a critical security advisory regarding a high-severity vulnerability impacting its Crosswork Network…
CISA has issued an urgent warning regarding a critical vulnerability in Palo Alto Networks PAN-OS.…
Cisco has issued a critical security advisory regarding a high-severity vulnerability impacting its Crosswork Network…
This website uses cookies.