CISA Warns of Palo Alto PAN-OS Vulnerability Exploited to Gain Root Access

CISA has issued an urgent warning regarding a critical vulnerability in Palo Alto Networks PAN-OS.

Tracked as CVE-2026-0300, this severe security flaw was recently added to CISA’s Known Exploited Vulnerabilities catalog on May 6, 2026.

The vulnerability allows unauthenticated threat actors to execute arbitrary code and gain root privileges on affected firewall appliances, prompting immediate defensive action from network administrators and security teams globally.

At the core of CVE-2026-0300 is an out-of-bounds write vulnerability in the PAN-OS User-ID Authentication Portal, commonly known as the Captive Portal service.

Classified as CWE-787, this memory corruption flaw occurs when the software writes data beyond the intended memory buffer boundary.

Threat actors can actively exploit this vulnerability by sending specially crafted packets to the targeted Captive Portal service.

If successful, the exploit grants the attacker the ability to execute arbitrary code with root-level privileges.

This extensive level of access completely compromises the security appliance. Attackers operating with root permissions can easily bypass established security policies, intercept sensitive network traffic, alter configuration files, or use the compromised firewall as a pivot point to launch further attacks deep into the internal network.

The vulnerability specifically impacts both the physical PA-Series and the virtualized VM-Series firewalls running vulnerable iterations of PAN-OS.

Active Exploitation and Threat Landscape

By adding this flaw to its active exploitation catalog, CISA confirms that threat actors are exploiting it in real-world attacks.

While security researchers state that it is currently unknown if the exploit is being leveraged in active ransomware campaigns, the severity of unauthenticated root access makes this vulnerability highly dangerous.

Network edge devices, such as Palo Alto firewalls, are highly valuable targets for advanced persistent threats because they reside outside traditional internal security perimeters, providing a direct gateway into corporate environments.

Federal Civilian Executive Branch agencies are legally mandated under Binding Operational Directive (BOD) 22-01 to secure their systems against this specific threat by a strict deadline of May 9, 2026.

Because an official permanent patch from Palo Alto Networks is pending release, organizations must immediately implement temporary workarounds to protect their environments.

Security teams should immediately restrict network access to the User-ID Authentication Portal and ensure it is reachable only from strictly trusted internal zones, not from the public internet.

Organizations must maintain high alert, monitor official vendor communications closely, and prepare to deploy the official firmware update the moment it becomes available to the public.

Cybercriminals now enter through your suppliers instead of your front door – Free Webinar