
PALO Alto Networks has confirmed that a critical zero‑day flaw in its PAN‑OS User‑ID Authentication Portal is being exploited in the wild, putting PA‑Series and VM‑Series firewalls at risk of full compromise. The flaw resides in the captive portal service and can be triggered without any authentication.
Tracked as CVE-2026-0300, the vulnerability carries a CVSS v3.1 base score of 9.3 and stems from a buffer overflow that allows an unauthenticated attacker to send specially crafted packets and gain root privileges on the firewall.
According to Palo Alto and independent reports, the activity has been linked to the threat cluster CL-STA-1132, which has deployed tools such as EarthWorm and ReverseSocks5 after breaking in. Security researchers first observed attempted exploitation on 9 April 2026, with successful remote code execution reported a week later.
According to SecurityWeek, the intrusion chain includes enumeration of Active Directory with stolen credentials, deletion of nginx logs and core dumps to hide traces, and the use of tunnelling utilities that bear hallmarks of Chinese state‑sponsored groups. Palo Alto notes that the activity remains limited in scope but represents a significant threat to exposed devices.
The CISA has added CVE-2026-0300 to its Known Exploited Vulnerabilities catalogue, noting that the flaw is actively being used and urging organisations to apply patches as soon as they become available. The agency’s catalogue entry references the same CVSS score and highlights the risk when the portal is exposed to the internet.
The Hacker News reports that Palo Alto Networks has released fixes scheduled for 13 May and 28 May 2026 and advises administrators to restrict the captive portal to trusted zones or disable it entirely if not required, while also monitoring for anomalous outbound connections and reviewing firewall logs for signs of EarthWorm or ReverseSocks5 traffic. Applying the patches promptly and following the vendor’s mitigation guidance will greatly reduce the likelihood of successful exploitation.