Palo Alto Networks has warned about a vulnerability of critical severity on the User-ID authentication portal (known as the Captive Portal) of PAN-OS that is already being exploited in targeted attacks. Identified as CVE-2026-0300, is a buffer overflow that allows an unauthenticated attacker to run arbitrary code with root privileges on PA-Series and VM-Series devices exposed to the Internet by specially manipulated packages.
The ability to run code as root in a firewall implies an extreme risk: an attacker can deactivate controls, create persistence, intercept or manipulate traffic, and use the committed equipment as a trampoline to move laterally within the network. Therefore Palo Alto has described the failure with maximum severity and has indicated that there is already evidence of limited exploitation against authentication portals accessible from unreliable directions or the public Internet.
If your organization uses PAN-OS, check immediately if the authentication portal is enabled and exposed. Palo Alto offers a page with technical details and initial recommendations in your official notice: https: / / security.paloaltonetworks.com / CVE-2026-0300. It is also appropriate to check the specific configuration of the Captive Portal in the product technical documentation to quickly identify and mitigate exposure: https: / / docs.paloaltonetworks.com /... / confire-captive-portal.
A worrying background: Internet tracking services detect thousands of publicly accessible PAN-OS firewalls. Shadowserver, for example, reports more than 5,800 online exposed VM-Series firewalls, mainly concentrated in Asia and North America; that means that the potential attack surface is large and that many organizations could be at risk until a patch or final mitigation is applied. See public follow-up here: https: / / dashboard.Shadowserver.org /....
Until Palo Alto publishes a patch, the most urgent and practical measure is to reduce exposure: restricts access to the User-ID Authentication Portal to trusted network areas and, if it cannot guarantee such a restriction, disable the portal temporarily. This recommendation is consistent with safety practices in perimeter management: never leave sensitive services accessible from unreliable networks without additional controls.
In addition to disabling or blocking access, implement compensatory controls: apply access control list (ACL) rules on network edges and transit providers to block access to the interface from public addresses, require the use of VPNs or management tunnels for remote administration, and ensure that firewall management is not directly exposed to the Internet. Prioritize event log and device integrity alerts for abnormal behaviors (unplanned reinitiations, unauthorized configuration changes, suspicious IP connections).
If you suspect commitment, proceed with a response plan: isolate the affected equipment from the network, collect forensic devices (system log, configuration, traffic capture), do not trust the image of the device until a clean reconstruction from a known image and sign the administrative credentials after recovery. Consider the assistance of an external forensic team and report the incident to the relevant parties according to regulatory requirements and contracts.
This vulnerability is in a trend: in recent months several PAN-OS failures have been exploited in nature, showing that safety devices with exposed interfaces are priority targets for attackers seeking persistent control. Since Palo Alto is a supplier of a large portion of the global critical and corporate infrastructure, the potential impacts range from point interruptions to gaps that compromise sensitive information from customers and employees.
Finally, document and automate detection and mitigation: invent all firewalls and authentication portals, prioritize those publicly exposed, apply emerging access rules and plan the application of the official patch as soon as it is available. Keep informed through the manufacturer's notice and reputable intelligence feeds; the window between disclosure and mass exploitation can be short, so speed and operational discipline are key to minimizing impact.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...