Palo Alto Networks to Patch Zero-Day Exploited to Hack Firewalls
CVE-2026-0300 affects the Captive Portal service of PAN-OS software on PA and VM series firewalls. The post Palo Alto Networks to Patch Zero-Day Exploited to Hack Firewalls appeared first on SecurityWeek .
AI Analysis
Technical Summary
CVE-2026-0300 is a zero-day buffer overflow vulnerability in the Captive Portal service of PAN-OS software on PA and VM series firewalls by Palo Alto Networks. This flaw allows unauthenticated attackers to gain root-level code execution by sending specially crafted packets to the User-ID Authentication Portal. Exploitation has been limited and observed only on portals exposed to untrusted or public IP addresses. The vendor is actively developing patches, with initial fixes scheduled for May 13, 2026, and follow-up patches on May 28. The vulnerability does not affect other Palo Alto products such as Prisma Access, Cloud NGFW, or Panorama. Mitigation includes restricting portal access to trusted internal IP addresses.
Potential Impact
Successful exploitation of CVE-2026-0300 enables an unauthenticated attacker to execute arbitrary code with root privileges on affected PA and VM series firewalls configured with the User-ID Authentication Portal. This could lead to full compromise of the firewall device. Limited exploitation observed suggests targeted attacks, likely by sophisticated threat actors. Other Palo Alto products are not impacted. No widespread exploitation or inclusion in CISA's Known Exploited Vulnerabilities catalog has been reported as of the advisory date.
Mitigation Recommendations
Palo Alto Networks is releasing official patches starting May 13, 2026, with a second round on May 28, 2026. Organizations should apply these patches promptly once available. Until patched, it is recommended to restrict access to the User-ID Authentication Portal to trusted internal IP addresses only, avoiding exposure to untrusted or public networks. No other mitigation actions are indicated by the vendor at this time.
Palo Alto Networks to Patch Zero-Day Exploited to Hack Firewalls
Description
CVE-2026-0300 affects the Captive Portal service of PAN-OS software on PA and VM series firewalls. The post Palo Alto Networks to Patch Zero-Day Exploited to Hack Firewalls appeared first on SecurityWeek .
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-0300 is a zero-day buffer overflow vulnerability in the Captive Portal service of PAN-OS software on PA and VM series firewalls by Palo Alto Networks. This flaw allows unauthenticated attackers to gain root-level code execution by sending specially crafted packets to the User-ID Authentication Portal. Exploitation has been limited and observed only on portals exposed to untrusted or public IP addresses. The vendor is actively developing patches, with initial fixes scheduled for May 13, 2026, and follow-up patches on May 28. The vulnerability does not affect other Palo Alto products such as Prisma Access, Cloud NGFW, or Panorama. Mitigation includes restricting portal access to trusted internal IP addresses.
Potential Impact
Successful exploitation of CVE-2026-0300 enables an unauthenticated attacker to execute arbitrary code with root privileges on affected PA and VM series firewalls configured with the User-ID Authentication Portal. This could lead to full compromise of the firewall device. Limited exploitation observed suggests targeted attacks, likely by sophisticated threat actors. Other Palo Alto products are not impacted. No widespread exploitation or inclusion in CISA's Known Exploited Vulnerabilities catalog has been reported as of the advisory date.
Mitigation Recommendations
Palo Alto Networks is releasing official patches starting May 13, 2026, with a second round on May 28, 2026. Organizations should apply these patches promptly once available. Until patched, it is recommended to restrict access to the User-ID Authentication Portal to trusted internal IP addresses only, avoiding exposure to untrusted or public networks. No other mitigation actions are indicated by the vendor at this time.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/palo-alto-networks-to-patch-zero-day-exploited-to-hack-firewalls/","fetched":true,"fetchedAt":"2026-05-06T04:51:23.234Z","wordCount":963}
Threat ID: 69fac8cbcbff5d86109c3f92
Added to database: 5/6/2026, 4:51:23 AM
Last enriched: 5/6/2026, 4:51:28 AM
Last updated: 5/7/2026, 7:02:39 AM
Views: 76
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.