# Palo Alto Networks warns of firewall RCE zero-day exploited in attacks

_Thursday, June 25, 2026 at 11:42 PM EDT · Cybersecurity · Latest · Tier 2 — Notable_

![Palo Alto Networks warns of firewall RCE zero-day exploited in attacks — Primary](https://www.bleepstatic.com/content/hl-images/2024/10/09/Palo-Alto-Networks.jpg)

Palo Alto Networks warned customers that a critical-severity unpatched vulnerability in the PAN-OS User-ID Authentication Portal is being exploited in attacks. The vulnerability, tracked as CVE-2026-0300, stems from a buffer overflow weakness that allows unauthenticated attackers to execute arbitrary code with root privileges on Internet-exposed PA-Series and VM-Series firewalls via specially crafted packets.

Palo Alto Networks said in a Wednesday advisory that limited exploitation has been observed targeting User-ID Authentication Portals exposed to untrusted IP addresses or the public internet. Customers following standard security best practices, such as restricting sensitive portals to trusted internal networks, are at a greatly reduced risk.

Shadowserver is tracking over 5,800 PAN-OS VM-series firewalls exposed online, most of them in Asia and North America. Palo Alto Networks has flagged the vulnerability as the highest possible severity.

The company is still working to address the zero-day. Until a patch is available, it strongly recommends that customers secure the User-ID Authentication Portal by restricting access to trusted zones only or disabling the portal if that is not possible. Palo Alto Networks said the first updates are expected to be available on May 13, 2026, and noted that the issue does not impact Cloud NGFW or Panorama appliances.

## Sources

- [BleepingComputer](https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-actively-exploited-firewall-zero-day/)

---
Canonical: https://techandbusiness.org/newswire/G4YDCbE0wNFsnngWEnlvEF
Retrieved: 2026-06-26T08:01:22.333Z
Publisher: Tech & Business (techandbusiness.org)