Palo Alto Networks (NASDAQ: PANW) has confirmed that threat actors are actively exploiting a critical vulnerability in its PAN-OS firewall software, designated CVE-2026-0300. The flaw, which carries a severity score of 9.3, allows remote code execution with root-level access on affected devices, posing a serious risk to enterprise networks.
The vulnerability affects the User-ID Authentication Portal, or Captive Portal, on both PA-Series and VM-Series firewalls. Attackers can exploit the issue by sending specially crafted network packets, potentially gaining full control of the device without requiring authentication. Security researchers at Palo Alto's Unit 42 team, who are tracking the activity as CL-STA-1132, describe it as likely state-sponsored, though exploitation remains limited so far.
Patch Timeline and Mitigations
Palo Alto Networks has announced that initial software patches will begin rolling out on May 13, with additional updates scheduled for May 28. In the interim, customers are advised to implement mitigations, including restricting Authentication Portal access to trusted internal zones and disabling response pages on internet-facing interfaces. For those with a Threat Prevention subscription, enabling Threat ID 510019 is recommended as an additional layer of defense.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-0300 to its Known Exploited Vulnerabilities catalog on May 6, underscoring the urgency of addressing the flaw. Security experts warn that the patch gap increases risk. "Treat every internet-exposed PA-Series and VM-Series firewall as a compromise candidate until forensics prove otherwise," said Collin Hogue-Spears, senior director of solution management at Black Duck, in a statement.
Scope of Exposure
According to security firm Rapid7, Shodan scans have identified approximately 225,000 internet-facing PAN-OS instances, indicating broad exposure, though not all are necessarily vulnerable. The issue specifically affects PA-Series and VM-Series appliances when the Authentication Portal is enabled; Prisma Access, Cloud NGFW, and Panorama are not impacted. The vulnerability sits at the network edge, where firewalls connect internal systems to the internet, making exploitation particularly dangerous.
Attack Chain and Implications
Unit 42 researchers noted that after gaining initial access, attackers used open-source tunneling tools like EarthWorm and ReverseSocks5 to pivot toward Active Directory, Microsoft's identity and access management platform. This escalation can transform a firewall compromise into a broader identity security incident, potentially affecting user controls across an organization. The attackers also wiped logs and other traces to cover their tracks.
The extent of the damage will depend on how many customers left the portal exposed to untrusted networks and how quickly mitigations are deployed. If scanning activity intensifies before patches are available, Palo Alto Networks could face a larger cleanup effort and reputational challenges, though the company notes that customers following standard security practices face reduced risk.
Market Reaction
Despite the security alert, Palo Alto Networks shares rose approximately 7% on Thursday, trading near $196.53, as cybersecurity stocks broadly rallied. The sector was buoyed by strong earnings from Fortinet (NASDAQ: FTNT) and renewed investor interest in AI-driven security software. CrowdStrike (NASDAQ: CRWD) and Zscaler (NASDAQ: ZS) also posted gains, with Fortinet's results lifting sentiment across the group. For Palo Alto, the immediate focus remains on helping customers seal the vulnerable portals ahead of the patch cycle.
