Palo Alto PAN-OS Vulnerability Under Active Exploitation Enables Remote Code Execution

PAN-OS Vulnerability Actively Exploited in the Wild

Palo Alto Networks has disclosed a critical security vulnerability identified as CVE-2026-0300 that impacts PAN-OS firewall software. The flaw is a buffer overflow vulnerability within the User-ID Authentication Portal, also known as the Captive Portal service. Successful exploitation could allow attackers to execute arbitrary code remotely with root privileges. The vulnerability has received a critical CVSS severity score of 9.3 due to its potential for unauthenticated remote exploitation over the network.

How the Exploit Works

According to security advisories, attackers can exploit the flaw by sending specially crafted packets to vulnerable PAN-OS devices configured with the User-ID Authentication Portal enabled. The issue is categorized as an out-of-bounds write weakness, commonly associated with buffer overflow attacks. Researchers observed attackers targeting internet-exposed authentication portals to gain unauthorized remote access. Once exploited, attackers may obtain root-level control of affected firewalls, potentially allowing traffic interception, lateral movement, and espionage activities

“Limited exploitation has already been observed targeting exposed PAN-OS systems.”

Active Exploitation Confirmed

Security researchers reported exploitation attempts beginning in early April 2026, with successful remote code execution observed shortly afterward. Threat actors reportedly attempted to erase crash logs and forensic traces after compromising vulnerable systems. The attacks mainly targeted publicly exposed User-ID Authentication Portals, reinforcing concerns about internet-facing security appliances becoming high-value attack targets.

Mitigation Recommendations

Organizations using affected PAN-OS versions should immediately implement mitigation measures and prepare for emergency patch deployment. Recommended actions include: Recommended Steps Restrict User-ID Authentication Portal access to trusted internal IP addresses Disable the Authentication Portal if not required Prevent exposure of management interfaces to the public internet Apply the latest PAN-OS security updates once available Monitor firewall logs for suspicious authentication activity

Why This Vulnerability Matters

Firewall appliances sit at the edge of enterprise infrastructure and inspect sensitive inbound and outbound traffic. A successful compromise can give attackers visibility into network communications and create opportunities for deeper intrusion into internal systems. Because PAN-OS firewalls are widely deployed across enterprise environments, rapid remediation is considered essential to reduce exposure to ongoing attacks.