Critical Palo Alto PAN-OS Zero-Day Exploited in the Wild, Firewall RCE Risk Emerges

A critical vulnerability in Palo Alto Networks firewalls is now being actively exploited in the wild and the most concerning part is that organizations don’t yet have a full patch available.

The flaw, tracked as CVE-2026-0300, affects PAN-OS, the operating system that powers Palo Alto’s widely used enterprise firewalls. Security researchers and the company itself have confirmed that attackers are already leveraging the bug in real-world attacks, targeting exposed systems on the internet.

This is not a minor issue.

The vulnerability is rated critical (CVSS 9.3) and allows an unauthenticated attacker to execute arbitrary code with root privileges effectively giving full control over affected firewalls. 

And in cybersecurity terms, that’s as bad as it gets.

Firewalls sit at the edge of enterprise networks. If compromised, they don’t just expose one system they can become a gateway into everything behind them, from internal applications to sensitive data and communications.

What makes this attack particularly dangerous is how it works.

The flaw exists in the User-ID Authentication Portal (also known as the Captive Portal), a feature used to authenticate users on a network. By sending specially crafted packets to this portal, an attacker can trigger a buffer overflow and execute malicious code remotely without needing credentials or prior access. 

In other words, this is a remote, pre-authentication exploit the kind attackers prioritize because it’s easier to scale and harder to detect early.

The risk is especially high for organisations that have this portal exposed to the public internet.

Palo Alto has emphasized that exploitation has so far been “limited” and targeted, but that typically signals early-stage attacks by sophisticated actors often a precursor to broader campaigns once the vulnerability becomes widely known. 

And there’s another problem.

There is currently no immediate patch available.

Palo Alto Networks says fixes are in progress, with the first round expected around mid-May and additional patches rolling out later in the month depending on the software version.

Until then, organizations are being urged to act quickly.

The company recommends either restricting access to the authentication portal to trusted internal networks or disabling it entirely if it’s not required. 

That kind of mitigation can significantly reduce risk but it also highlights a growing reality in cybersecurity.

Defenders are increasingly forced to respond to threats before fixes exist.

This isn’t an isolated case either.

Firewall and edge device vulnerabilities have become prime targets for attackers over the past few years, especially as organizations move more infrastructure online and rely on perimeter defenses to secure distributed systems.

And companies like Palo Alto Networks are particularly high-value targets.

Their products are deployed across governments, large enterprises, and critical infrastructure, meaning a single vulnerability can have widespread impact if exploited at scale.

The broader pattern is clear.

Attackers are focusing less on individual endpoints and more on infrastructure-level weaknesses, the systems that sit between users and the rest of the network.

Because if you control the gateway, you control everything behind it. For now, the immediate priority is mitigation.

But the longer-term implication is harder to ignore. As enterprise security becomes more complex and interconnected, vulnerabilities like this are becoming not just more dangerous but more inevitable.

And in that environment, the question isn’t just how quickly companies can patch.

It’s how quickly they can respond before attackers get there first.