Palo Alto PAN-OS Zero-Day Vulnerability Actively Exploited in the Wild: CVE-2026-0300 Details and Impact

Critical Zero-Day in Palo Alto PAN-OS Firewalls Exploited in the Wild

Attackers are actively exploiting a zero-day vulnerability affecting Palo Alto Networks’ firewalls, the company confirmed in an advisory issued on Tuesday. The flaw, tracked as CVE-2026-0300, is a critical memory corruption issue in the authentication portal of PAN-OS. It enables unauthenticated attackers to execute arbitrary code with root privileges on vulnerable PA-Series and VM-Series firewalls.

Palo Alto Networks did not disclose when or how it became aware of the active exploitation, nor the timeline of the earliest known attacks. The Cybersecurity and Infrastructure Security Agency (CISA) added the vulnerability to its Known Exploited Vulnerabilities Catalog on Wednesday, May 7.

No Patch Available Yet; First Fixes Expected May 13

The company has not released a patch for CVE-2026-0300 and has not provided details on the scope or objectives of the confirmed attacks. However, a Palo Alto Networks spokesperson shared the following with CyberScoop:

“This vulnerability is specific to a limited number of customers with their User-ID Authentication Portal (Captive Portal) exposed to the public internet or untrusted IP addresses. We have observed limited exploitation of this issue and are working to release software fixes, with the first updates expected to be available on May 13.”

The vulnerability, which has a CVSS score of 9.3, is described as having low attack complexity. According to Shadowserver scans, more than 5,800 publicly exposed VM-Series firewalls running PAN-OS were identified as of Tuesday. However, it remains unclear how many of these instances have restricted authentication access to trusted internal IP addresses or disabled the feature entirely.

Mitigation Guidance Issued; Cloud NGFW and Panorama Unaffected

Palo Alto Networks stated:

“We have provided clear mitigation guidance to our customers to secure their environments immediately. This issue does not impact Cloud NGFW or Panorama appliances. We remain committed to a transparent, security-first approach to protect our global customer base.”

Industry Reactions: Limited Exploitation Expected, But Risks Remain High

Benjamin Harris, CEO and founder of watchTowr, noted that Palo Alto Networks’ proactive alert to customers was a positive step, allowing defenders to secure potentially exposed systems. However, he also acknowledged the downside:

“In a bad situation, that is the best they can do immediately. However, that also alerts everyone to the existence of a vulnerability.”

Despite the risks, Harris predicted that attacks leveraging the zero-day would remain “very limited” in the near term. To date, only Palo Alto Networks and its impacted customers have observed exploitation in the wild, though researchers warn this may change rapidly.

Caitlin Condon, Vice President of Security Research at VulnCheck, commented:

“It’s likely rules will also start to fire in third-party organizations and honeypots shortly. Management interfaces, login pages, and authentication portals have been common adversary targets for both opportunistic and targeted campaigns in recent years.”

“With researcher and community eyes on the vulnerability, it’s likely that we’ll see public exploits and broader exploitation quickly, provided the issue isn’t prohibitively difficult to exploit.”

What’s Next for Affected Organizations?

Palo Alto Networks has not attributed the attacks to any known threat group, released indicators of compromise, or disclosed the types of organizations targeted. Researchers are actively hunting for malicious activity and strongly advise customers to apply patches as soon as they become available.

For now, organizations using affected PAN-OS firewalls are urged to review and implement the mitigation guidance provided by Palo Alto Networks to reduce exposure until official fixes are released.