www.securityweek.com 5/6/2026, 5:01:14 AM · via preferred

Palo Alto Networks to Patch Zero-Day Exploited to Hack Firewalls

Palo Alto Networks to Patch Zero-Day Exploited to Hack Firewalls
Developing story vulnerability 12 articles tracked
Palo Alto PAN-OS Captive Portal zero‑day (CVE-2026-0300) exploited in the wild
CyberSIXT Evidence Panel
CISA KEV Not in KEV
Patch Patch Status Unknown

PALO Alto Networks is patching a critical PAN-OS zero-day, tracked as CVE-2026-0300, which has been exploited to hack some of the company’s firewall models. The vulnerability is described as a buffer overflow in the User-ID Authentication Portal (Captive Portal) service, affecting PA and VM series firewalls and enabling an unauthenticated attacker to execute code with root privileges via specially crafted packets.

Limited exploitation has been observed targeting exposed User-ID Portals, and restricting access to trusted internal IPs can significantly reduce risk, according to Palo Alto Networks. The vendor intends to release the first round of patches on 13 May, with a second round due for 28 May. According to Palo Alto Networks, Prisma Access, Cloud NGFW, and Panorama appliances are not affected by CVE-2026-0300.

Given the widespread use of these firewalls, the article notes that sophisticated threat actors—claims—often target such devices, with state-sponsored groups frequently cited in related chatter.

View Primary Source Via www.securityweek.com

Article by CyberSIXT

Timeline Coverage

Swipe to explore timeline