Unauthenticated RCE vulnerability in Palo Alto PAN-OS User-ID Authentication Portal under active exploitation
Summary
Hide ▲
Show ▼
A critical unauthenticated remote code execution (RCE) vulnerability in Palo Alto Networks PAN-OS User-ID Authentication Portal (CVE-2026-0300) remains under active exploitation with new details on exposure and mitigation. The flaw allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted packets to internet-exposed User-ID Authentication Portals. Palo Alto Networks confirms "limited exploitation" targeting systems with the portal exposed to untrusted networks, while Shadowserver reports over 5,800 online VM-Series instances exposed, primarily in Asia and North America. The company has not yet released official patches, scheduled to begin May 13, 2026, and urges customers to restrict access to trusted zones or disable the portal as a temporary mitigation.
Timeline
-
06.05.2026 09:14 2 articles · 3h ago
Unauthenticated RCE in Palo Alto PAN-OS User-ID Authentication Portal exploited in the wild
Active exploitation of CVE-2026-0300 is confirmed, with Palo Alto Networks describing it as a zero-day buffer overflow in the User-ID Authentication Portal (Captive Portal) enabling unauthenticated RCE with root privileges on PA-Series and VM-Series firewalls. Exposure data shows over 5,800 PAN-OS VM-Series firewalls exposed online, predominantly in Asia (2,466) and North America (1,998), highlighting the scale of potential targets. Palo Alto Networks strongly recommends restricting access to trusted zones or disabling the portal until official patches are released starting May 13, 2026, and provides guidance for verifying portal configuration via Device > User Identification > Authentication Portal Settings.
Show sources
- Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution — thehackernews.com — 06.05.2026 09:14
- Palo Alto Networks warns of firewall RCE zero-day exploited in attacks — www.bleepingcomputer.com — 06.05.2026 12:18
Information Snippets
-
CVE-2026-0300 is a buffer overflow in the User-ID Authentication Portal (Captive Portal) service of Palo Alto PAN-OS.
First reported: 06.05.2026 09:142 sources, 2 articlesShow sources
- Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution — thehackernews.com — 06.05.2026 09:14
- Palo Alto Networks warns of firewall RCE zero-day exploited in attacks — www.bleepingcomputer.com — 06.05.2026 12:18
-
Exploitation enables unauthenticated remote code execution with root privileges on affected PA-Series and VM-Series firewalls.
First reported: 06.05.2026 09:142 sources, 2 articlesShow sources
- Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution — thehackernews.com — 06.05.2026 09:14
- Palo Alto Networks warns of firewall RCE zero-day exploited in attacks — www.bleepingcomputer.com — 06.05.2026 12:18
-
The vulnerability requires the User-ID Authentication Portal to be accessible from untrusted networks (e.g., internet) or trusted internal IP addresses only.
First reported: 06.05.2026 09:142 sources, 2 articlesShow sources
- Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution — thehackernews.com — 06.05.2026 09:14
- Palo Alto Networks warns of firewall RCE zero-day exploited in attacks — www.bleepingcomputer.com — 06.05.2026 12:18
-
Affected PAN-OS versions include 12.1.x, 11.2.x, 11.1.x, and 10.2.x with specific patch thresholds.
First reported: 06.05.2026 09:141 source, 1 articleShow sources
- Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution — thehackernews.com — 06.05.2026 09:14
-
Palo Alto Networks reports "limited exploitation" targeting instances with publicly accessible User-ID Authentication Portals.
First reported: 06.05.2026 09:142 sources, 2 articlesShow sources
- Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution — thehackernews.com — 06.05.2026 09:14
- Palo Alto Networks warns of firewall RCE zero-day exploited in attacks — www.bleepingcomputer.com — 06.05.2026 12:18
-
No official patches are available as of May 6, 2026; fixes are scheduled to begin May 13, 2026.
First reported: 06.05.2026 09:141 source, 1 articleShow sources
- Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution — thehackernews.com — 06.05.2026 09:14
-
CVE-2026-0300 is described as a zero-day vulnerability in Palo Alto PAN-OS User-ID Authentication Portal (Captive Portal).
First reported: 06.05.2026 12:181 source, 1 articleShow sources
- Palo Alto Networks warns of firewall RCE zero-day exploited in attacks — www.bleepingcomputer.com — 06.05.2026 12:18
-
Shadowserver reports over 5,800 PAN-OS VM-Series firewalls exposed online, predominantly in Asia (2,466) and North America (1,998).
First reported: 06.05.2026 12:181 source, 1 articleShow sources
- Palo Alto Networks warns of firewall RCE zero-day exploited in attacks — www.bleepingcomputer.com — 06.05.2026 12:18
-
Palo Alto Networks advises restricting access to trusted zones or disabling the User-ID Authentication Portal as temporary mitigation until patches are available.
First reported: 06.05.2026 12:181 source, 1 articleShow sources
- Palo Alto Networks warns of firewall RCE zero-day exploited in attacks — www.bleepingcomputer.com — 06.05.2026 12:18
-
Admins can verify portal configuration via Device > User Identification > Authentication Portal Settings.
First reported: 06.05.2026 12:181 source, 1 articleShow sources
- Palo Alto Networks warns of firewall RCE zero-day exploited in attacks — www.bleepingcomputer.com — 06.05.2026 12:18
Similar Happenings
High-Severity DoS Vulnerability in Palo Alto Networks Firewalls
Palo Alto Networks has patched a high-severity DoS vulnerability (CVE-2026-0227) affecting PAN-OS firewalls (versions 10.1 and later) and Prisma Access configurations with GlobalProtect enabled. The flaw allows unauthenticated attackers to disable firewall protections through repeated DoS attacks, forcing the firewall into maintenance mode. A proof-of-concept (PoC) exploit exists, and the vulnerability arises from an improper check for exceptional conditions (CWE-754). Most cloud-based Prisma Access instances have been patched, but some remain in progress. No evidence of exploitation has been found yet. Palo Alto Networks has released security updates for all affected versions, advising admins to upgrade to the latest releases. The vulnerability highlights the ongoing targeting of Palo Alto firewalls, which have been frequently exploited in recent attacks.
Increased Scanning Activity on Palo Alto Networks Login Portals
A significant increase in scanning activity targeting Palo Alto Networks login portals was observed on October 3, 2025. The activity involved 1,300 unique IP addresses, with 91% classified as suspicious and 7% as malicious. The scans were geolocated primarily in the U.S., with smaller clusters in the U.K., the Netherlands, Canada, and Russia. The scans were directed at Palo Alto GlobalProtect and PAN-OS profiles, indicating targeted reconnaissance efforts. This surge shares characteristics with recent scanning activity targeting Cisco ASA devices, which was followed by the disclosure of zero-day vulnerabilities. An automated campaign targeting multiple VPN platforms, including Palo Alto Networks GlobalProtect and Cisco SSL VPN, was observed starting on December 11, 2025. The number of login attempts aimed at GlobalProtect portals peaked at 1.7 million during a 16-hour period. The attacks originated from more than 10,000 unique IP addresses, primarily from the 3xK GmbH (Germany) IP space, and targeted infrastructure in the United States, Mexico, and Pakistan. The threat actor reused common username and password combinations, with most requests using an uncommon Firefox user agent for automated login activity. The activity reflects scripted credential probing designed to identify exposed or weakly protected GlobalProtect portals. On December 12, 2025, activity from the same hosting provider using the same TCP fingerprint started probing Cisco SSL VPN endpoints, with unique attack IPs jumping to 1,273 from a normal baseline of less than 200. The login payloads followed normal SSL VPN authentication flows, indicating automated credential attacks rather than exploits. Palo Alto Networks confirmed the activity and recommended using strong passwords and multi-factor authentication protection.
Multiple Critical Vulnerabilities in SolarWinds Web Help Desk
SolarWinds has released security updates to address multiple critical vulnerabilities in SolarWinds Web Help Desk, including CVE-2025-40536, CVE-2025-40537, CVE-2025-40551, CVE-2025-40552, CVE-2025-40553, and CVE-2025-40554. These vulnerabilities could result in authentication bypass and remote code execution (RCE). CVE-2025-40551 is actively exploited in attacks and has been added to CISA's KEV catalog. SolarWinds Web Help Desk is used by more than 300,000 customers worldwide, including government agencies, large corporations, healthcare organizations, and educational institutions. SolarWinds has also released security updates to patch four critical Serv-U remote code execution vulnerabilities that could grant attackers root access to unpatched servers. The most severe flaw, CVE-2025-40538, allows attackers with high privileges to gain root or admin permissions on vulnerable servers. These vulnerabilities include a broken access control flaw, two type confusion flaws, and an Insecure Direct Object Reference (IDOR) vulnerability. All four vulnerabilities require attackers to already have high privileges on the targeted servers.