PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage
Summary
Palo Alto Networks has identified an active exploit targeting a critical vulnerability, CVE-2026-0300, in their PAN-OS software. This buffer overflow vulnerability in the User-ID Authentication Portal service allows unauthenticated attackers to gain root access and potentially conduct espionage.
IFF Assessment
The exploitation of a critical vulnerability leading to root access and espionage represents a significant threat to defenders.
Severity
The CVSS score of 9.3 indicates a critical severity, reflecting the potential for remote exploitation by unauthenticated attackers leading to significant impact, including privilege escalation to root access and enabling espionage.
CISA KEV: Listed as actively exploited. Federal patch due: May 09, 2026. Known ransomware use: Unknown.
Defender Context
Defenders must prioritize patching PAN-OS devices against CVE-2026-0300 immediately, as it is under active exploitation. Monitoring network traffic for signs of unusual activity or unauthorized access attempts related to the User-ID Authentication Portal service is crucial. Organizations should also review their incident response plans for handling potential data exfiltration or espionage.