🚨 CRITICAL ALERT: Active Zero-Day Exploits

URGENT: Palo Alto Networks PAN-OS firewalls are under active exploitation in the wild via a critical zero-day buffer overflow. CISA has added CVE-2026-0300 to its Known Exploited Vulnerabilities (KEV) catalog on May 6, 2026. Unauthenticated attackers achieve root RCE—patch and mitigate immediately to prevent full device compromise.

Critical Vulnerabilities (CVSS >= 8.0)

• CVE-2026-0300 (CVSS: 9.3): A buffer overflow vulnerability (CWE-787) in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated remote attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted packets. Risk greatly reduced if portal access is restricted to trusted internal IPs per best practices: Palo Alto Guidelines. Prisma Access, Cloud NGFW, and Panorama not affected. Confirmed exploited by state-sponsored actors. View NVD | CISA KEV

⚡ Immediate Actions Required

• Verify exposure: Check if User-ID Authentication Portal is enabled and exposed to internet/untrusted networks via CLI: show user user-id-service status or GUI.
• Apply mitigations NOW: Restrict portal access to trusted internal IPs only (see Palo Alto advisory). Disable if not needed.
• Patch urgently: Deploy fixed PAN-OS versions when released. Monitor Palo Alto Advisory.
• Detect & respond: Hunt for suspicious traffic to portal (TCP/ports 80/443), anomalous root processes, or AD enumeration post-compromise. Enable logging.
• Scope assets: Inventory all PA/VM-Series firewalls—prioritize internet-facing ones.

Act now: Exploitation is automatable, requires no auth, and leads to full firewall takeover.