CISA Warns of Critical Palo Alto PAN-OS Vulnerability Exploited for Root Access
Key Takeaways A critical out-of-bounds write vulnerability (CVE-2026-0300) in Palo Alto Networks PAN-OS has been identified. The flaw allows unauthenticated attackers to achieve root access and...
Key Takeaways
- A critical out-of-bounds write vulnerability (CVE-2026-0300) in Palo Alto Networks PAN-OS has been identified.
- The flaw allows unauthenticated attackers to achieve root access and arbitrary code execution on vulnerable firewall appliances.
- CISA has added this CVE to its Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild.
- Both physical PA-Series and virtual VM-Series firewalls running specific PAN-OS versions are affected.
- Temporary mitigations are available, with a permanent patch from Palo Alto Networks pending release.
The Cybersecurity and Infrastructure Security Agency (CISA) has issued an urgent alert concerning a critical security vulnerability within Palo Alto Networks’ PAN-OS software, which powers its firewall appliances. This flaw, designated as CVE-2026-0300, has been observed under active exploitation by malicious actors, prompting its immediate inclusion in CISA’s Known Exploited Vulnerabilities catalog on May 6, 2026.
Table Of Content
Understanding the Vulnerability
At its core, CVE-2026-0300 is an out-of-bounds write vulnerability impacting the PAN-OS User-ID Authentication Portal, often referred to as the Captive Portal service. This memory corruption issue, classified as CWE-787, arises when the software attempts to write data beyond the allocated boundaries of a memory buffer. Threat actors can trigger this flaw by transmitting specially crafted network packets to the vulnerable Captive Portal service.
A successful exploit grants the attacker the ability to execute arbitrary code with root-level privileges on the affected device. Such extensive access completely compromises the security appliance, allowing attackers to bypass existing security policies, intercept sensitive network traffic, modify configuration files, or leverage the compromised firewall as a launchpad for deeper incursions into internal networks.
The vulnerability specifically affects both physical PA-Series and virtual VM-Series firewalls operating vulnerable versions of PAN-OS.
Active Exploitation and Threat Landscape
CISA’s decision to add this flaw to its catalog of actively exploited vulnerabilities confirms that threat actors are actively leveraging it in real-world attacks. While it remains unclear whether these exploits are currently linked to ransomware campaigns, the capability for unauthenticated root access presents an extremely high risk.
Network edge devices, such as Palo Alto firewalls, are prime targets for advanced persistent threats due to their strategic position outside traditional internal security perimeters. They serve as a direct gateway into corporate environments, making their compromise particularly severe.
Federal Civilian Executive Branch (FCEB) agencies are under a strict mandate, Binding Operational Directive (BOD) 22-01, to address this specific threat by May 9, 2026. As an official permanent patch from Palo Alto Networks is still forthcoming, organizations must implement immediate temporary workarounds to safeguard their systems.
What You Should Do
- Restrict Access: Immediately limit network access to the User-ID Authentication Portal. Ensure it is accessible only from strictly trusted internal network zones and completely inaccessible from the public internet.
- Monitor Vendor Communications: Maintain heightened vigilance and closely monitor official communications from Palo Alto Networks for the release of a permanent firmware update.
- Prepare for Patching: Be ready to deploy the official firmware update as soon as it becomes publicly available to fully mitigate this critical vulnerability.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.