PALO Alto Networks is patching a critical PAN-OS zero-day, tracked as CVE-2026-0300, which has been exploited to hack some of the company’s firewall models. The vulnerability is described as a buffer overflow in the User-ID Authentication Portal (Captive Portal) service, affecting PA and VM series firewalls and enabling an unauthenticated attacker to execute code with root privileges via specially crafted packets.
Limited exploitation has been observed targeting exposed User-ID Portals, and restricting access to trusted internal IPs can significantly reduce risk, according to Palo Alto Networks. The vendor intends to release the first round of patches on 13 May, with a second round due for 28 May. According to Palo Alto Networks, Prisma Access, Cloud NGFW, and Panorama appliances are not affected by CVE-2026-0300.
Given the widespread use of these firewalls, the article notes that sophisticated threat actors—claims—often target such devices, with state-sponsored groups frequently cited in related chatter.