Palo Alto Networks is engaged on patches for a important PAN-OS zero-day that has been exploited to hack a few of the firm’s firewall fashions.
Tracked as CVE-2026-0300, the vulnerability has been described as a buffer overflow affecting the Consumer-ID Authentication Portal (Captive Portal) service of PAN-OS software program.
The zero-day impacts PA and VM collection firewalls, permitting an unauthenticated attacker to execute malicious code with root privileges through specifically crafted packets.
“Restricted exploitation has been noticed concentrating on Palo Alto Networks Consumer-ID Authentication Portals which are uncovered to untrusted IP addresses and/or the general public web,” Palo Alto Networks stated in an advisory.
No different data has been shared concerning the assaults exploiting CVE-2026-0300, however restricted exploitation sometimes signifies {that a} flaw has been leveraged in extremely focused assaults by subtle menace actors, usually state-sponsored teams.
The seller is aiming to launch the primary spherical of patches on Might 13, with a second spherical of fixes estimated for Might 28.
The cybersecurity large famous that the flaw impacts solely PA and VM collection firewalls configured to make use of the Consumer-ID Authentication Portal. Limiting entry to the portal to trusted inside IPs considerably reduces the chance of exploitation.
In response to Palo Alto Networks, Prisma Entry, Cloud NGFW, and Panorama home equipment are usually not affected by CVE-2026-0300.
Given their widespread adoption throughout main enterprises and authorities organizations, Palo Alto firewalls are prime targets for classy menace actors.
Whereas solely two vulnerabilities within the firm’s home equipment had been exploited within the wild in 2025, 2024 noticed a considerably increased quantity, with seven exploited flaws, together with by state-sponsored hackers.
CISA’s Recognized Exploited Vulnerabilities (KEV) catalog at the moment consists of 13 Palo Alto product vulnerabilities, however CVE-2026-0300 has not but been included.
