Palo Alto Networks firewalls have a critical hole that lets attackers run code as root - hackers are already using it, no patch until May 13 (CVE-2026-0300)

Palo Alto Networks confirmed Wednesday that attackers are exploiting a zero-day in its firewall login portal to run code as root on PA-Series and VM-Series firewalls. CVE-2026-0300 (CVSS 9.3) is a buffer overflow in the User-ID Authentication Portal (Captive Portal) that lets unauthenticated attackers send crafted packets and execute code without any login. Palo Alto Unit 42 attributed the activity to CL-STA-1132, a likely state-sponsored cluster that started probing on April 9 and achieved RCE a week later. Attackers deploy tunneling tools and enumerate Active Directory using the firewall's service account. First patches arrive May 13. Shadowserver counts 5,800+ exposed VM-Series firewalls.

Check

Inventory Palo Alto PA-Series and VM-Series firewalls. Check whether the User-ID Authentication Portal is enabled and reachable from untrusted IPs. Hunt nginx crash logs for evidence of clearing since April 9.

Affected

PA-Series and VM-Series firewalls running PAN-OS with the User-ID Authentication Portal exposed to public internet or untrusted IPs. CVE-2026-0300, CVSS 9.3 (8.7 if portal restricted to internal IPs). Prisma Access, Cloud NGFW, and Panorama are NOT affected. Shadowserver tracks 5,800+ exposed VM-Series instances; thousands more likely sit behind load balancers.

Fix

Restrict the User-ID Authentication Portal to trusted internal networks - this is the primary mitigation until patches arrive. Disable the portal entirely if not strictly required. Block ports 6081 and 6082 from untrusted IPs. Stage May 13 patches: 12.1.4-h5, 11.2.7-h13, 11.1.4-h33, 10.2.10-h36. Treat any compromised firewall as a domain-wide breach starting point - rotate firewall service account credentials.