Palo Alto PAN-OS 0-Day Exploited to Execute Arbitrary Code as Root on Firewalls

A critical zero-day vulnerability in Palo Alto Networks firewalls is actively being exploited by suspected state-sponsored hackers, giving attackers complete, unauthenticated control over enterprise firewall infrastructure before most organizations even knew the flaw existed.

The vulnerability, tracked as CVE-2026-0300 with a CVSS score of 9.3, was weaponized as early as April 9, 2026, nearly a month before public disclosure on May 6, 2026 granting threat actors significant time to quietly compromise exposed systems.

Palo Alto PAN-OS 0-Day Exploited

CVE-2026-0300 is a buffer overflow flaw residing in PAN-OS’s User-ID Authentication Portal (also called the Captive Portal service), which handles user identification for unknown network traffic.

Attackers send specially crafted packets to vulnerable firewalls, triggering out-of-bounds memory writes that inject malicious shellcode directly into nginx worker processes.

The result is unauthenticated, root-level remote code execution, the highest possible privilege tier requiring zero credentials from the attacker.

Firewalls are at risk only when the User-ID Authentication Portal is enabled and exposed to untrusted networks or the Internet.

Palo Alto Networks Unit 42 researchers attributed the limited but targeted exploitation to a threat cluster designated CL-STA-1132, assessed as likely state-sponsored.

Post-exploitation behavior reveals a sophisticated adversary: attackers deployed tunneling tools like Earthworm and ReverseSocks5 for persistent command-and-control, conducted Active Directory enumeration using harvested credentials, and systematically wiped logs to erase forensic evidence.

The May 6 publication of proof-of-concept exploit code lowered the barrier significantly, validating attack mechanics and making reliable exploitation accessible to a wider range of threat actors.

The flaw spans four major PAN-OS release branches: 10.2, 11.1, 11.2, and 12.1.

Prisma Access, Cloud NGFW, and Panorama appliances are not affected. Patches are rolling out through May 2026, with some hotfixes not expected until May 28, 2026, leaving certain organizations in a prolonged exposure window.

Immediate Mitigations

Organizations that cannot patch immediately should take one of two actions:

• Restrict access -Limit User-ID Authentication Portal to trusted internal zones only and disable response pages on Layer 3 interfaces exposed to untrusted traffic
• Disable the feature – If the Authentication Portal is not operationally required, fully disable it under Device > User Identification > Authentication Portal Settings

Security teams should treat the identification and isolation of exposed Authentication Portal services as an urgent priority, as this configuration is the sole attack vector for CVE-2026-0300 exploitation.

Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google

The post Palo Alto PAN-OS 0-Day Exploited to Execute Arbitrary Code as Root on Firewalls appeared first on Cyber Security News.