Tag

Cve 2026 0300

All articles tagged with #cve 2026 0300

Critical PAN-OS zero-day exploited for weeks, attackers gain root access to exposed firewalls
security2 months ago

Critical PAN-OS zero-day exploited for weeks, attackers gain root access to exposed firewalls

Palo Alto Networks warns that a critical PAN-OS zero-day in the User-ID Authentication Portal (CVE-2026-0300) has been exploited for nearly a month, enabling unauthenticated remote code execution with root privileges on Internet-exposed PA-Series and VM-Series firewalls. Attackers deployed Earthworm and ReverseSocks5 tunneling tools, wiped logs to avoid detection, and targeting thousands of devices (Shadowserver cites over 5,400 exposed VM-series firewalls). Cloud NGFW and Panorama are unaffected; patches are slated to begin rolling out on May 13. In the interim, restrict access to or disable the portal. CISA added CVE-2026-0300 to KEV and ordered agencies to secure vulnerable devices by May 9.

Critical PAN-OS Flaw Under Active Exploitation Enabling Root RCE
security2 months ago

Critical PAN-OS Flaw Under Active Exploitation Enabling Root RCE

Palo Alto Networks warns of a critical buffer‑overflow flaw in PAN-OS User-ID Authentication Portal (CVE-2026-0300) that allows unauthenticated remote code execution with root privileges on PA-Series and VM-Series firewalls; the bug is under active exploitation, with a CVSS of up to 9.3 when the portal is internet‑exposed and 8.7 otherwise, and PAN-OS 12.1 is listed as affected.

Wild PAN-OS Flaw Exposes Palo Alto Firewalls to Root Access
cyber-security-news2 months ago

Wild PAN-OS Flaw Exposes Palo Alto Firewalls to Root Access

A critical, unauthenticated buffer overflow in PAN-OS’s User-ID Authentication Portal (CVE-2026-0300) is being exploited in the wild to gain full root access on PA-Series and VM-Series firewalls. The flaw allows remote code execution with no credentials or user interaction over the network, affecting multiple PAN-OS versions (with some product exclusions). Patches are rolling out May 13–28, 2026; meanwhile, admins should restrict or disable internet-facing Authentication Portals and apply Threat Prevention signatures, and audit exposed configurations immediately.