Palo Alto PAN-OS Zero-Day CVE-2026-0300: Root RCE on Firewalls Under Active Exploitation

The PAN-OS zero-day CVE-2026-0300 is a critical vulnerability in Palo Alto Networks PAN-OS that gives unauthenticated attackers root-level remote code execution on PA-Series and VM-Series firewalls. It has a CVSS score of 9.3, it is being actively exploited in the wild, and patches will not be available until May 13, 2026. CISA has already added it to its Known Exploited Vulnerabilities catalog, and federal agencies have been given a mandatory remediation deadline.

This is the kind of vulnerability that keeps security teams awake at night. Your firewall — the device that is supposed to protect your network — becomes the entry point for attackers. And they get root access. Here is everything you need to know about CVE-2026-0300, how it works, who is affected, and what to do right now.

What Is the PAN-OS Zero-Day CVE-2026-0300?

CVE-2026-0300 is a buffer overflow vulnerability in the User-ID Authentication Portal (also known as the Captive Portal) service of Palo Alto Networks PAN-OS software. The vulnerability allows an unauthenticated attacker to send specially crafted packets to the portal and execute arbitrary code with root privileges on the affected firewall.

In plain terms: if your Palo Alto firewall has the User-ID Authentication Portal enabled and accessible from the internet, an attacker can take full control of it without knowing any credentials. No password, no authentication token, no prior access required. Just send the right packets and you own the firewall.

Palo Alto Networks published its official security advisory for CVE-2026-0300, confirming the vulnerability and its active exploitation status. Unit 42’s threat brief provides additional technical details about the exploitation observed in the wild.

How the PAN-OS Zero-Day Exploit Works: Buffer Overflow to Root RCE

The vulnerability is a classic stack-based buffer overflow in the Captive Portal’s authentication processing code. When the User-ID Authentication Portal processes incoming authentication requests, it fails to properly validate the length of certain input fields. By sending an oversized payload in a specially crafted packet, an attacker can overflow the buffer and overwrite the return address on the stack.

The exploit chain works like this:

• Step 1: Attacker identifies a Palo Alto firewall with the User-ID Authentication Portal exposed to the internet
• Step 2: Attacker sends specially crafted packets containing an oversized payload to the portal
• Step 3: The buffer overflow overwrites control flow data, redirecting execution to attacker-supplied shellcode
• Step 4: Shellcode executes with root privileges because the Captive Portal service runs as root
• Step 5: Attacker has full root access to the firewall — can intercept traffic, modify rules, pivot into the network

The critical factor here is that the Captive Portal service runs with root privileges on PAN-OS. There is no privilege escalation needed after the initial exploit. The buffer overflow immediately gives the attacker the highest possible level of access to the device.

PAN-OS Zero-Day Active Exploitation Timeline: April 9 to Present

According to Palo Alto Networks and The Hacker News, the exploitation timeline is as follows:

• April 9, 2026: First unsuccessful exploitation attempts detected against a PAN-OS device with the User-ID Authentication Portal exposed
• April 16, 2026: Attackers successfully achieve RCE against the same device and inject shellcode
• Post-compromise: Attackers immediately conducted log cleanup, clearing crash kernel messages, deleting nginx crash entries and records, and removing crash core dump files
• May 5, 2026: Palo Alto Networks publicly discloses CVE-2026-0300 with a CVSS score of 9.3
• May 6, 2026: CISA adds CVE-2026-0300 to its Known Exploited Vulnerabilities (KEV) catalog
• May 9, 2026: CISA mandatory remediation deadline for federal agencies
• May 13, 2026: First patches expected from Palo Alto Networks
• ~May 28, 2026: Additional patches scheduled for remaining affected versions

The fact that attackers were exploiting this vulnerability for over a month before public disclosure — and that they cleaned up their logs to avoid detection — suggests this was a targeted, sophisticated operation rather than opportunistic scanning.

Affected Products: Which Firewalls Are Vulnerable

CVE-2026-0300 affects the following Palo Alto Networks products:

• PA-Series hardware firewalls — All models running affected PAN-OS versions with User-ID Authentication Portal enabled
• VM-Series virtual firewalls — All virtual appliance deployments running affected PAN-OS versions with the portal enabled

The following products are NOT affected:

• Prisma Access — Cloud-delivered security service
• Cloud NGFW — Cloud-native next-gen firewall
• Panorama — Centralized management appliance

The key condition is that the User-ID Authentication Portal must be enabled and accessible. If the portal is not configured, the vulnerability cannot be exploited. However, many organizations enable this portal for user identification and authentication — it is a commonly used feature in enterprise Palo Alto deployments.

CVSS Score: 9.3 — Critical Severity

CVE-2026-0300 carries a CVSS score of 9.3 when the User-ID Authentication Portal is configured to accept connections from the internet or any untrusted network. If access to the portal is restricted to only trusted internal IP addresses, the severity drops to 8.7 — still critical.

The high score reflects several factors: the attack requires no authentication, no user interaction, can be performed remotely over the network, and results in complete compromise of confidentiality, integrity, and availability. Root access to a firewall means the attacker can read all traffic passing through it, modify firewall rules to allow further attacks, and use the compromised firewall as a pivot point to attack internal network resources.

What Attackers Did After Getting Root Access

The observed post-exploitation behavior reveals a methodical attacker focused on persistence and stealth. After achieving root access through the buffer overflow, the attackers immediately took steps to cover their tracks:

• Cleared crash kernel messages — Removed evidence of the buffer overflow crash that triggered the exploit
• Deleted nginx crash entries — The Captive Portal runs on nginx, and the overflow would have generated crash logs
• Removed nginx crash records — Cleaned up any additional crash correlation data
• Deleted crash core dump files — Removed memory dumps that could reveal the exploit payload

This level of log cleanup indicates the attackers had detailed knowledge of PAN-OS internals and wanted to maintain persistent access without triggering alerts. According to Wiz’s analysis, the behavior is consistent with nation-state or advanced persistent threat (APT) operations targeting network perimeter devices.

Patch Timeline: First Fixes on May 13

Palo Alto Networks has announced the following patch schedule:

• May 13, 2026: First set of PAN-OS updates addressing CVE-2026-0300
• ~May 28, 2026: Additional patches for remaining affected PAN-OS versions

This means there is currently a window of exposure between the public disclosure on May 5 and the first patch on May 13. During this period, organizations running affected firewalls must rely on mitigations rather than patches. The gap between disclosure and patch availability is particularly concerning given that the vulnerability is already under active exploitation.

CISA Adds CVE-2026-0300 to Known Exploited Vulnerabilities

On May 6, 2026 — just one day after public disclosure — CISA added CVE-2026-0300 to its Known Exploited Vulnerabilities (KEV) catalog. This triggers mandatory remediation requirements for Federal Civilian Executive Branch (FCEB) agencies, who were given a deadline of May 9, 2026 to apply fixes or mitigations.

The rapid addition to the KEV catalog — with only a 3-day remediation window — underscores the severity of this vulnerability. CISA’s typical KEV remediation deadline is 2-3 weeks. The accelerated timeline reflects the combination of active exploitation, critical severity score, and the strategic importance of firewalls as network security devices.

Mitigations: What to Do Before the Patch

Until patches are available on May 13, organizations should implement the following mitigations immediately:

• Disable the User-ID Authentication Portal if it is not strictly required for business operations
• Restrict portal access to trusted internal IP addresses only — remove any internet-facing access
• Enable Threat Prevention signatures — Palo Alto Networks has released Threat Prevention signatures that can detect and block exploitation attempts
• Monitor firewall logs for signs of compromise — look for unexpected crash logs, nginx errors, or unusual authentication portal activity
• Check for indicators of compromise — Review crash kernel messages, nginx crash entries, and core dump files for evidence of tampering or deletion
• Network segmentation — Ensure that even if a firewall is compromised, lateral movement into critical internal systems is limited
• Plan for emergency patching — Have a maintenance window ready for May 13 when patches become available

Palo Alto Networks specifically recommends that organizations with the User-ID Authentication Portal exposed to the internet should disable it immediately as the primary mitigation. The Threat Prevention signatures provide an additional layer of defense but should not be considered a substitute for removing the attack surface.

Why This Matters: Firewalls as Attack Surfaces

CVE-2026-0300 is part of a disturbing trend: network security devices becoming attack surfaces themselves. In the past two years, we have seen critical vulnerabilities in firewalls, VPN gateways, and edge devices from Palo Alto Networks, Fortinet, Cisco, Ivanti, and others. These devices sit at the network perimeter, handle all traffic, and typically run with elevated privileges.

When a firewall is compromised, the attacker does not just get access to one server — they get visibility into all network traffic, the ability to modify security policies, and a trusted position from which to launch further attacks. It is the worst possible device to have compromised.

The fact that CVE-2026-0300 requires no authentication and grants root access makes it especially dangerous. The Captive Portal runs as root on PAN-OS, which means there is no secondary privilege boundary between the exploit and full device compromise. This is a design decision that security architects should question in any network appliance.

Final Thoughts

CVE-2026-0300 is a textbook critical vulnerability: unauthenticated remote code execution with root privileges on a security device, actively exploited before disclosure, and patches not available for over a week after going public. If you run Palo Alto firewalls with the User-ID Authentication Portal enabled, this is a drop-everything priority.

Disable the portal, restrict access, deploy Threat Prevention signatures, and be ready to patch the moment updates land on May 13. And check your logs — the attackers have been at this since April 9. If your firewall was exposed, assume compromise and investigate accordingly.

PAN-OS Zero-Day in the Context of 2026’s Exploit Landscape

This PAN-OS zero-day joins an alarming pattern of critical infrastructure vulnerabilities disclosed in 2026. The attack surface for enterprise networks has expanded dramatically as organizations deploy more edge security appliances — ironically, the very devices meant to protect networks are becoming the primary entry points for attackers. The Dirty Frag Linux kernel root exploit demonstrated a similar pattern where foundational security layers contain exploitable flaws.

Security researchers at Mandiant documented a 340% increase in firewall and VPN appliance exploits between 2024 and 2026. The PAN-OS zero-day follows the same exploitation pattern seen in CISA’s Known Exploited Vulnerabilities catalog, where PAN-OS zero-day threat actors target management plane interfaces exposed to the internet. This is exactly why CISA’s CI Fortify directive now requires critical infrastructure to prepare for weeks-long disconnection scenarios.

The broader lesson from the PAN-OS zero-day is that perimeter security devices require the same zero-trust scrutiny as any other network endpoint. Firewall management interfaces should never be exposed to the public internet, and organizations should implement NIST Cybersecurity Framework recommendations for network segmentation. The Canvas LMS mega-breach affecting 275 million students and the cPanel zero-day compromising 44,000 servers underscore how interconnected these threats have become across the entire technology stack.