Critical PAN-OS zero-day exploited for weeks, attackers gain root access to exposed firewalls

May 7, 2026 at 02:48 PM

•

1 min read

Critical PAN-OS zero-day exploited for weeks, attackers gain root access to exposed firewalls — Photo: BleepingComputer

TL;DR Summary

Palo Alto Networks warns that a critical PAN-OS zero-day in the User-ID Authentication Portal (CVE-2026-0300) has been exploited for nearly a month, enabling unauthenticated remote code execution with root privileges on Internet-exposed PA-Series and VM-Series firewalls. Attackers deployed Earthworm and ReverseSocks5 tunneling tools, wiped logs to avoid detection, and targeting thousands of devices (Shadowserver cites over 5,400 exposed VM-series firewalls). Cloud NGFW and Panorama are unaffected; patches are slated to begin rolling out on May 13. In the interim, restrict access to or disable the portal. CISA added CVE-2026-0300 to KEV and ordered agencies to secure vulnerable devices by May 9.

Topics:business #cve-2026-0300 #cybersecurity #palo-alto-networks #pan-os #security #zero-day

Share this article

Palo Alto Networks firewall zero-day exploited for nearly a month BleepingComputer
Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code Execution Unit 42
PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage The Hacker News
Critical Buffer Overflow Vulnerability in PAN-OS Exploited in-the-Wild wiz.io
Root-level RCE vulnerability in Palo Alto firewalls exploited (CVE-2026-0300) Help Net Security

Reading Insights

Total Reads

Unique Readers

Time Saved

4 min

vs 5 min read

Condensed

87%

802 → 101 words

Want the full story? Read the original article

Read on BleepingComputer

JavaScript Required

tl;dr daily news requires JavaScript to be enabled. Please enable JavaScript in your browser settings.

Related Sources

Reading Insights