Palo Alto Networks warns of firewall RCE zero-day exploited in attacks

Palo Alto Networks warned customers that a critical-severity unpatched vulnerability in the PAN-OS User-ID Authentication Portal is being exploited in attacks. The vulnerability, tracked as CVE-2026-0300, stems from a buffer overflow weakness that allows unauthenticated attackers to execute arbitrary code with root privileges on Internet-exposed PA-Series and VM-Series firewalls via specially crafted packets. Palo Alto Networks said in a Wednesday advisory that limited exploitation has been observed targeting User-ID Authentication Portals exposed to untrusted IP addresses or the public internet. Customers following standard security best practices, such as restricting sensitive portals to trusted internal networks, are at a greatly reduced risk. Shadowserver is tracking over 5,800 PAN-OS VM-series firewalls exposed online, most of them in Asia and North America. Palo Alto Networks has flagged the vulnerability as the highest possible severity. The company is still working to address the zero-day. Until a patch is available, it strongly recommends that customers secure the User-ID Authentication Portal