Palo Alto Networks warns that a critical zero-day vulnerability has been discovered in the PAN-OS firewall system. The vulnerability has already been exploited by suspected state-sponsored hackers for nearly a month, reports Bleeping Computer.
The vulnerability, CVE-2026-0300, is located in the User-ID Authentication Portal (also known as the Captive Portal) and allows attackers to execute code with root privileges on exposed PA and VM series firewalls without first logging in.
The security organization Shadowserver estimates that over 5,400 PAN-OS VM firewalls are exposed to the internet, primarily in Asia and North America.
Palo Alto Networks is still working on security updates. These are expected to begin rolling out on May 13. Until then, customers are advised to restrict access to the Authentication Portal to trusted networks or disable the feature entirely.