Palo Alto Networks firewall flaw has been exploited for several weeks
Summary
A critical zero-day vulnerability, CVE-2026-0300, has been discovered in Palo Alto Networks' PAN-OS firewall system's User-ID Authentication Portal. Suspected state-sponsored hackers have been exploiting this flaw for weeks, allowing them to execute code with root privileges on vulnerable firewalls. Palo Alto Networks is working on patches, expected May 13, and advises customers to restrict access to the portal or disable it in the interim.
IFF Assessment
This vulnerability allows attackers to gain root privileges on critical network infrastructure, posing a significant threat to organizations.
Severity
The vulnerability allows for Remote Code Execution with root privileges (Attack Vector: Network, Privileges Required: None, User Interaction: None) and has a significant impact on Confidentiality, Integrity, and Availability.
CISA KEV: Listed as actively exploited. Federal patch due: May 09, 2026. Known ransomware use: Unknown.
Defender Context
This highlights the ongoing risk of zero-day exploits in widely used network security devices. Defenders must prioritize patching critical vulnerabilities as soon as they become available and implement strict access controls to sensitive network components. Organizations should also monitor for signs of exploitation and have robust incident response plans in place.