Palo Alto warns PAN-OS RCE flaw is under active exploitation

Palo Alto Networks has warned customers that attackers are already exploiting a critical PAN-OS vulnerability, tracked as CVE-2026-0300, that can allow unauthenticated remote code execution with root privileges on exposed firewalls. The flaw affects the User-ID Authentication Portal, also known as Captive Portal, on PA-Series and VM-Series devices.

This is the kind of security issue that immediately jumps to the top of an enterprise patch queue, even before a patch is ready. A remotely exploitable bug in perimeter firewall software is already serious. The fact that Palo Alto says exploitation is underway turns it into a same-day exposure review for any organization running affected systems with the portal reachable from the public internet or another untrusted network.

According to Palo Alto and follow-up reporting from BleepingComputer, the vulnerability is a buffer overflow in the Authentication Portal service. The company says it can let an unauthenticated attacker execute arbitrary code as root by sending specially crafted packets to exposed instances. BleepingComputer also noted that Shadowserver was tracking more than 5,800 internet-exposed PAN-OS VM-Series firewalls at the time of reporting, which gives some sense of how many environments may need urgent review.

The immediate risk depends heavily on configuration. Palo Alto says the highest-risk systems are the ones with the User-ID Authentication Portal exposed to untrusted IP addresses or the open internet. Organizations that do not use the portal, or that have already restricted it to trusted internal networks, are in a better position. But this is exactly the sort of feature that can remain enabled longer than teams realize, especially across inherited firewall templates or older branch deployments.

The more uncomfortable detail is that the flaw is unpatched while exploitation is already happening. That means defenders do not get the usual clean sequence of advisory, patch window, and orderly rollout. Instead, they need to identify exposure first and mitigate through access restrictions or feature disablement. Palo Alto’s guidance is to lock the Authentication Portal down to trusted zones only, or disable it entirely if it is not required.

This also highlights a broader security pattern. Firewall risk is no longer limited to packet filtering or management interfaces. Security appliances now ship with identity services, captive portals, remote access components, and workflow features that widen the attack surface around the device itself. When one of those services is vulnerable, the firewall can become the entry point rather than the barrier.

For defenders, the response should be operationally simple and urgent. Inventory PAN-OS devices, confirm whether the Authentication Portal is enabled, check whether it is externally reachable, restrict access immediately, and prepare to deploy Palo Alto fixes as soon as they are available. Security teams should also review logs and network telemetry for unusual requests targeting the portal, especially on internet-facing appliances.

Not every critical security advisory deserves a news post. This one does because it combines three things that rarely stay contained for long: exposed perimeter infrastructure, unauthenticated remote code execution, and confirmed active exploitation. For organizations using affected PAN-OS configurations, that is not background risk. It is a live incident-prevention problem.