Maximum Alert: Zero-Day in Palo Alto Firewalls Under Active Attack with No Patch Available Until May 13

Palo Alto Networks has published an urgent security advisory confirming the active exploitation of a critical vulnerability in PAN-OS. The flaw, CVE-2026-0300 (CVSS 9.3), allows arbitrary code execution with root privileges on PA-Series and VM-Series firewalls without credentials, without user interaction, and in an automatable fashion. CISA added it to its Known Exploited Vulnerabilities (KEV) catalog on May 6. The first patch will not arrive until May 13. In the unpatched window, active mitigation is the only defence.

‍

What do we know about the CVE-2026-0300 zero-day in Palo Alto PAN-OS?

The official advisory, published on May 5, 2026 and amplified by BleepingComputer, The Hacker News, Help Net Security, Wiz and SOC Prime, confirms the following facts:

• Vulnerability type: buffer overflow (CWE-787) in the User-ID Authentication Portal service (also known as Captive Portal) of PAN-OS.
• Impact: unauthenticated remote code execution with root privileges. An attacker only needs to send specially crafted packets to the portal to fully compromise the device.
• Exploitability condition: the portal must be enabled and accessible from the internet or untrusted networks. Deployments that restrict the portal to internal trusted networks are at materially lower risk.
• Affected devices: PA-Series and VM-Series running PAN-OS versions prior to the fixed releases. Prisma Access, Cloud NGFW and Panorama are not affected.
• Real-world exposure (Shadowserver): over 5,800 PAN-OS VM-Series instances with port 6081 exposed to the internet. Most are concentrated in Asia (2,466) and North America (1,998).
• Active exploitation confirmed: Palo Alto describes it as “limited,” targeting portals exposed to the internet. CISA added CVE-2026-0300 to the KEV catalog on May 6.
• Patches: first wave on May 13 (branches 12.1.x, 11.2.x). Second wave on May 28 (branches 11.1.x and 10.2.x).
• Automation confirmed: the advisory itself states that exploitation is automatable, enabling simultaneous targeting of all 5,800 exposed devices at scale.

‍

Why firewalls are the highest-value target for attackers

CVE-2026-0300 affects the device that decides what enters and leaves the entire corporate network. Compromising a firewall means compromising the arbiter of perimeter security, with consequences far beyond any application server or endpoint:

1. Privileged visibility over all traffic. An attacker with root access can inspect, intercept or modify traffic between segments, extract credentials in transit, and disable security controls without internal detection systems noticing.
2. Hard-to-detect persistence. Firewalls are rarely monitored with the same intensity as servers or endpoints. An implant in the firewall’s operating system can survive for months undetected.
3. Supply chain vector. MSPs and managed security providers administer firewalls for multiple clients from a single infrastructure. Compromising one provider’s firewall can cascade into access across their entire client base.
4. Blind spot in traditional patching programmes. Many organisations apply differentiated patching cycles to network security devices out of fear of operational disruption, leaving longer exposure windows than the rest of their infrastructure.

‍

How this type of attack works

The technical chain of CVE-2026-0300 follows these steps:

1. Passive reconnaissance: the attacker identifies firewalls with the portal exposed via Shodan (ports 6081/6082) or Shadowserver. Over 5,800 instances are currently indexed.
2. Sending malicious packets: without credentials or human interaction, crafted packets are sent to the portal. The overflow overwrites adjacent memory (out-of-bounds write).
3. Root execution: successful exploitation grants full control of the firewall’s operating system with maximum privileges.
4. Post-exploitation: installation of persistent implants, modification of security policies, traffic interception, pivoting into the internal network, or access to credentials of other clients managed from the same device.

The possible automation turns this into a scale threat: a single actor can target all 5,800 exposed firewalls simultaneously.

‍

Key lessons: what your SOC and security team must do right now

Until the patch arrives, managing this zero-day depends on speed and precision in executing mitigations. Here is the action plan until May 13:

Step 1 — Identify exposure (today, first thing)

• Access each PA-Series or VM-Series firewall and navigate to Device > User Identification > Authentication Portal Settings.
• Check whether Enable Authentication Portal is active.
• If it is, verify which zones or interfaces can reach the portal (ports 6081 and 6082). If any zone is “untrust” or points to the internet: you are at active risk.

Step 2 — Immediate mitigation (today)

• Option A (recommended if you do not actively use the portal): disable the User-ID Authentication Portal entirely until the patch is available.
• Option B (if the portal is operationally required): restrict portal access exclusively to trusted internal zones using an interface management profile rule. Under no circumstances should the portal be reachable from untrust zones or the internet.
• Confirm that ports 6081 and 6082 are not exposed in any interface management profile accessible from external networks.

Step 3 — Detection and SIEM monitoring (this week)

• Enable alerts on unusual traffic to ports 6081/6082 from external or unclassified IPs.
• Monitor portal authentication logs for connection attempts from unrecognised IP ranges.
• Review PAN-OS logs for unusual process errors in the authentication component (crashes, unexpected service restarts).
• Correlate with threat intelligence feeds: IoCs associated with CVE-2026-0300 are being actively published by Wiz, Shadowserver and SOC Prime.

Step 4 — Patching plan (May 13–28)

• Identify which PAN-OS branch each firewall runs and plan the update window: branches 12.1.x and 11.2.x → patch available May 13; branches 11.1.x and 10.2.x → patch available May 28.
• Prioritise devices exposed to the internet or with the portal enabled in untrusted zones.
• Document the plan and communicate it to infrastructure owners before May 10.

Step 5 — Post-incident review (after patching)

• Review historical portal logs for anomalous activity during the exposure window (May 5–13).
• Check the integrity of security policies: rules added, modified or deleted without justification.
• If suspicious activity is detected, treat the device as potentially compromised and initiate a forensic analysis process.

‍

Cybersecurity as a strategic priority

CVE-2026-0300 is a stark reminder that the devices protecting infrastructure are not exempt from being the first to be compromised. The window between the disclosure of a critical zero-day on an edge device and its mass exploitation is now measured in hours, not days.

Organisations that want to maintain a real security posture in 2026 need three concrete capabilities: continuous visibility over the state and configuration of their edge devices, an accelerated response process for critical CVEs on high-priority assets, and the ability to apply emergency mitigations before patches arrive. Without those capabilities, the next zero-day will find exactly the same gap that CVE-2026-0300 is exploiting this week.

‍

Apolo Cybersecurity: response before the patch

At Apolo Cybersecurity we help SOC teams and security leaders manage exactly these situations: critical active vulnerabilities in edge devices with unpatched windows. We work on exposure identification in firewalls and network devices, emergency mitigation implementation, continuous monitoring with real-time IoC correlation, post-incident forensic analysis, and support throughout urgent patching processes.

If your organisation has Palo Alto PA-Series or VM-Series firewalls and you are not certain about your exposure level to CVE-2026-0300, now is the time to verify it. Not after May 13.

‍