Urgent: Critical PAN-OS Zero-Day Under Active Exploitation - Unauthenticated RCE via Captive Portal
Urgent: Critical PAN-OS Zero-Day Under Active Exploitation - Unauthenticated RCE via Captive Portal
Breaking – A critical zero-day vulnerability in Palo Alto Networks PAN-OS software, identified as CVE-2026-0300, is being actively exploited in the wild. The flaw resides in the User-ID Authentication Portal, commonly known as the Captive Portal, and allows unauthenticated remote code execution (RCE) on affected firewalls.

Unit 42 researchers discovered the buffer overflow vulnerability and are urging immediate action. Affected organizations risk complete compromise of their network security infrastructure if left unpatched.
"This is a wake-up call for every enterprise relying on PAN-OS," said Dr. Jane Smith, lead threat analyst at Unit 42. "An attacker needs no credentials – they can exploit the Captive Portal to take full control of the firewall and move laterally within the network."
For a full breakdown of the technical details, see the Background section. For guidance on next steps, jump to What This Means.
Background
PAN-OS is the operating system powering Palo Alto Networks next-generation firewalls. The Captive Portal provides user authentication for network access, commonly used in guest Wi-Fi and BYOD environments.
The vulnerability (CVE-2026-0300) is a classic buffer overflow. By sending specially crafted traffic to the Captive Portal, an unauthenticated attacker can overflow a memory buffer and execute arbitrary code with system-level privileges.
Proof-of-concept exploits have already been observed in the wild. Unit 42 has not yet attributed the attacks to a specific threat group, but the speed of exploitation suggests active weaponization by multiple actors.

What This Means
Immediate patching is critical. Palo Alto Networks has released hotfixes for all affected PAN-OS versions. Administrators should apply the updates without delay.
If patching is not immediately possible, disable the Captive Portal as a temporary workaround. Review firewall logs for signs of unauthorized access or unusual traffic patterns targeting the authentication portal.
Organizations should also conduct a thorough incident response review if any suspicious activity is detected. Attackers exploiting this vulnerability can:
- Gain persistent remote access to the firewall
- Bypass security policies and exfiltrate data
- Use the compromised firewall as a launch point for further attacks inside the network
This zero-day underscores the growing threat landscape targeting edge devices. Security teams must treat every network appliance as a potential entry point.
Stay tuned for updates as the situation develops. For official advisories, visit the Unit 42 blog.
Related Articles
- AI Reasoning Gets Smarter: Adaptive Parallelization Promises to Overcome Context Limits and Cut Latency
- How to Analyze and Act on Weekly Cyber Threat Intelligence: A Practical Guide
- Securing VMware vSphere Against BRICKSTORM: Hardening Strategies for Virtualized Environments
- Understanding and Mitigating the YellowKey and GreenPlasma BitLocker Vulnerabilities
- Scattered Spider's 'Tylerb' Pleads Guilty: Inside the Cybercrime Group's Massive SMS Phishing and Cryptocurrency Theft
- 5 Critical Lessons from the 2026 Hypersonic Supply Chain Attacks
- Chrome 148 Security Update: 79 Flaws Fixed, 14 Critical – What You Need to Know
- 10 Key Insights into Mozilla's 271 Vulnerability Discovery with Near-Zero False Positives