Palo Alto Networks disclosed a critical zero-day vulnerability, identified as CVE-2026-0300, which is currently being actively exploited by attackers. This memory corruption flaw impacts the authentication portal of PAN-OS, enabling unauthenticated attackers to execute code with root privileges on the vendor’s PA-Series and VM-Series firewalls. The Cybersecurity and Infrastructure Security Agency (CISA) has since added the vulnerability to its known exploited vulnerabilities catalog.
The security vendor announced the vulnerability on a Tuesday, though details regarding the exact timing of its discovery or the onset of exploitation remain undisclosed. Palo Alto Networks has not yet released a specific patch for the flaw, nor has it fully detailed the scope and objectives of the confirmed attacks. However, the company indicated that the first software updates addressing the issue are expected to be available on May 13.
Palo Alto Networks Zero-Day Exploitation
According to Palo Alto Networks, this specific vulnerability affects a limited number of customers whose User-ID Authentication Portal, also known as the Captive Portal, is exposed to the public internet or untrusted IP addresses. The company stated that it has observed limited exploitation of this issue.
The vulnerability carries a CVSS score of 9.3, indicating a critical severity. Palo Alto Networks described the attack complexity as low, suggesting that it is relatively easy for attackers to exploit. Firewalls exposed to this buffer-overflow vulnerability are considered broadly vulnerable in real-world deployments.
Scope and Known Exploitation
Shadowserver scans conducted on Tuesday identified over 5,800 publicly exposed VM-Series firewalls running PAN-OS. However, it remains unclear how many of these instances have restricted authentication access to trusted internal IP addresses or have disabled the affected feature altogether.
Palo Alto Networks assured customers that they have provided clear mitigation guidance to secure their environments immediately. The company also clarified that this issue does not impact its Cloud NGFW or Panorama appliances, reinforcing its commitment to a transparent, security-first approach.
Benjamin Harris, CEO and founder of watchTowr, acknowledged that Palo Alto Networks proactively alerted its customers to the zero-day vulnerability, which allowed defenders to take immediate action on potentially exposed instances. While this proactive disclosure is a positive step in a difficult situation, it also brings wider awareness to the vulnerability’s existence.
Despite the risk, watchTowr anticipates that attacks specifically linked to this zero-day exploit will likely remain limited. Palo Alto Networks and its affected customers are currently the only reported entities to have observed exploitation, but cybersecurity researchers caution that this situation could change rapidly.
Researcher Warnings and Future Implications
Caitlin Condon, vice president of security research at VulnCheck, noted that it is probable that security systems in third-party organizations and honeypots will soon begin detecting related malicious activity. Management interfaces, login pages, and authentication portals have historically been attractive targets for adversaries in both opportunistic and targeted campaigns.
With heightened attention from researchers and the cybersecurity community, Condon anticipates the quick emergence of public exploits and broader exploitation, provided the vulnerability is not prohibitively difficult to weaponize. Palo Alto Networks has not yet attributed the attacks to any known threat groups, nor have they released indicators of compromise or disclosed the types of organizations targeted.
Researchers are actively searching for malicious activity related to this zero-day. Customers are strongly advised to apply patches as soon as they become available to mitigate potential risks. The coming weeks will likely see further analysis of the exploit’s capabilities and the extent of its real-world impact.