top of page
perceptive_background_267k.jpg

Palo Alto Networks warns of firewall RCE zero-day exploited in attacks

Published:

6 May 2026 at 09:18:16

Alert date:

6 May 2026 at 10:01:38

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Network Infrastructure, Zero-Day Vulnerabilities

Palo Alto Networks has warned customers about a critical-severity unpatched remote code execution vulnerability in the PAN-OS User-ID Authentication Portal that is being actively exploited in attacks. This represents a zero-day vulnerability affecting Palo Alto Networks firewall systems, posing significant risk to network security infrastructure. The vulnerability allows attackers to execute arbitrary code remotely, potentially compromising entire network security perimeters.

Technical details

Critical-severity zero-day vulnerability in PAN-OS User-ID Authentication Portal (Captive Portal) stems from a buffer overflow weakness. Allows unauthenticated attackers to execute arbitrary code with root privileges on Internet-exposed PA-Series and VM-Series firewalls via specially crafted packets. Limited exploitation observed targeting User-ID Authentication Portals exposed to untrusted IP addresses and/or the public internet. Over 5,800 PAN-OS VM-series firewalls currently exposed online, mostly in Asia (2,466) and North America (1,998).

Mitigation steps:

Check firewall configuration from User-ID Authentication Portal Settings page under Device > User Identification > Authentication Portal Settings -> Enable Authentication Portal. Secure the User-ID Authentication Portal by restricting access to trusted zones only. If restricting access is not possible, disable the portal entirely. Follow standard security best practices by restricting sensitive portals to trusted internal networks.

Affected products:

PAN-OS User-ID Authentication Portal
PA-Series firewalls
VM-Series firewalls
CN-Series firewalls

Related links:

https://docs.paloaltonetworks.com/ngfw/administration/user-id/map-ip-addresses-to-users
https://security.paloaltonetworks.com/CVE-2026-0300
https://dashboard.shadowserver.org/statistics/iot-devices/time-series/?date_range=7&vendor=palo+alto+networks&type=firewall&dataset=count&limit=100&group_by=geo&stacking=stacked
https://docs.paloaltonetworks.com/ngfw/administration/user-id/map-ip-addresses-to-users/map-ip-addresses-to-usernames-using-captive-portal/configure-captive-portal
https://www.bleepingcomputer.com/news/security/over-2-000-palo-alto-firewalls-hacked-using-recently-patched-bugs/
https://www.bleepingcomputer.com/news/security/palo-alto-networks-patches-two-firewall-zero-days-used-in-attacks/
https://www.bleepingcomputer.com/news/security/hackers-exploit-dos-flaw-to-disable-palo-alto-networks-firewalls/
https://www.bleepingcomputer.com/news/security/palo-alto-networks-tags-new-firewall-bug-as-exploited-in-attacks/

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page