Palo Alto Networks to Patch Zero-Day Exploited to Hack Firewalls

CVE-2026-0300 affects the Captive Portal service of PAN-OS software on PA and VM series firewalls. The post Palo Alto Networks to Patch Zero-Day Exploited to Hack Firewalls appeared first on SecurityWeek.

# Palo Alto Networks Rushes Patch for Zero-Day Vulnerability Actively Exploited Against Enterprise Firewalls

Palo Alto Networks has disclosed a critical zero-day vulnerability affecting its widely deployed PAN-OS firewall platforms that attackers have already exploited in the wild. CVE-2026-0300, which impacts the Captive Portal service across PA and VM series firewalls, represents a significant threat to enterprise network security and has prompted urgent calls for immediate patching across the industry.

## The Threat

The vulnerability exists in the Captive Portal authentication service component of PAN-OS, a core operating system used by thousands of organizations globally to protect network perimeters. According to Palo Alto Networks' disclosure, the flaw allows unauthenticated remote attackers to exploit the service and potentially gain unauthorized access to affected systems.

Key vulnerability details:

CVE ID: CVE-2026-0300

Affected Products: PA-series and VM-series Palo Alto Networks firewalls running vulnerable PAN-OS versions

Attack Vector: Network-based, requiring no authentication

Status: Actively exploited in the wild

The fact that this vulnerability is already being exploited by threat actors significantly elevates its severity rating and makes rapid remediation a critical priority for security teams.

## Background and Context

Palo Alto Networks firewalls are among the most widely deployed next-generation firewalls (NGFWs) in enterprise environments worldwide. These systems serve as critical chokepoints in network architecture, inspecting and controlling traffic between internal networks and the internet. The Captive Portal feature, which provides web-based authentication for users accessing networks through the firewall, is a standard component in many deployments—particularly in organizations with remote workers, guest networks, or conditional access policies.

This vulnerability is part of a concerning trend. Palo Alto Networks has disclosed multiple critical vulnerabilities in recent years, including prominent issues in GlobalProtect and other core components. Each disclosure underscores the elevated risk profile associated with internet-facing security appliances, which are high-value targets for sophisticated threat actors.

Why this matters now:

Firewalls are first-line defenses; compromise at this layer provides attackers with extensive network access

The Captive Portal service is often directly exposed to untrusted networks

Active exploitation indicates threat actors are actively weaponizing this flaw

Patching firewalls often requires planning and maintenance windows, creating a window of exposure

## Technical Details

While Palo Alto Networks has not disclosed complete technical details to prevent widespread exploitation before patches are deployed, security researchers have begun analyzing the vulnerability's nature based on the company's advisories.

The Captive Portal service handles authentication requests from users attempting to connect to networks through the firewall. The vulnerability likely stems from improper input validation, authentication bypass logic, or session handling within this component. By crafting malicious requests to this service, attackers can potentially bypass authentication mechanisms entirely or achieve code execution on the firewall itself.

Attack scenario:

1. Attacker identifies a Palo Alto Networks firewall with an exposed Captive Portal service

2. Attacker sends specially crafted network requests targeting the Captive Portal component

3. The vulnerability allows bypass of authentication or execution of arbitrary commands

4. Attacker gains administrative access to the firewall or ability to execute commands

5. From this position, attacker can monitor traffic, modify configurations, or pivot deeper into the network

The VM-series firewalls—which run PAN-OS on virtualized platforms—may be particularly affected due to their prevalence in cloud and hybrid environments where internet exposure is common.

## Implications for Organizations

The potential impact of a compromised Palo Alto Networks firewall extends far beyond the device itself. Firewalls sit at a critical juncture in network architecture and, when compromised, can provide attackers with:

Network access and surveillance:

Visibility into all network traffic flowing through the firewall

Ability to intercept and modify data in transit

Access to VPN connections and remote user sessions

Persistence and lateral movement:

Establishment of persistent backdoors within network infrastructure

Ability to modify firewall rules to maintain access

Positioning to launch attacks against internal systems and resources

Data exfiltration:

Undetected movement of sensitive data from protected networks

Ability to evade detection systems and logging mechanisms

Potential access to credentials and authentication tokens

Organizations running vulnerable versions of PAN-OS are at immediate risk, particularly those with internet-facing Captive Portal services or those without segmentation between the firewall management plane and untrusted networks.

## Patch and Remediation Status

Palo Alto Networks has confirmed it is actively developing patches for affected PAN-OS versions. Organizations should monitor the company's security advisories for specific version information and patch availability. The company has indicated that patches will be released according to its standard patch cycle, but given active exploitation, expedited patch releases are likely.

Immediate actions for affected organizations:

Assess exposure: Determine whether your organization runs PA or VM series firewalls and identify affected PAN-OS versions

Prioritize systems: Focus remediation efforts on internet-facing or externally accessible firewalls first

Apply patches urgently: Prioritize deployment once patches become available, treating this as a critical security incident

Implement compensating controls: If immediate patching is not feasible, consider implementing network-level access restrictions to Captive Portal services

Monitor for indicators: Watch for suspicious authentication attempts, unusual traffic patterns, or unauthorized configuration changes

## Recommendations

Security teams should treat CVE-2026-0300 with the urgency it demands:

1. Immediate inventory: Document all PA and VM series firewalls and their PAN-OS versions

2. Risk assessment: Determine which systems are internet-accessible or handle sensitive authentication scenarios

3. Patch planning: Develop a prioritized patching strategy that balances security risk with operational requirements

4. Detection and response: Implement network monitoring and IDS/IPS rules to detect exploitation attempts while patches are deployed

5. Incident preparation: Establish incident response procedures in case exploitation is detected

6. Vendor communication: Follow Palo Alto Networks' security updates closely for detailed patch guidance and any additional technical details

This vulnerability underscores the critical importance of maintaining up-to-date security appliances and establishing robust processes for rapid patch deployment when zero-day vulnerabilities are disclosed.