Critical PAN-OS RCE (CVE‑2026‑0300) Actively Exploited, Granting Root Access and Enabling Espionage
What It Is — A newly disclosed buffer‑overflow in the User‑ID Authentication Portal of Palo Alto Networks’ PAN‑OS (CVE‑2026‑0300) allows an unauthenticated attacker to execute arbitrary code with root privileges. The flaw carries a CVSS 9.3 rating and is being leveraged in the wild.
Exploitability — Threat actors have been observed attempting exploitation as early as 9 April 2026. Proof‑of‑concept code is publicly available and active exploit kits are circulating.
Affected Products — Palo Alto Networks PAN‑OS (all versions prior to the vendor‑released patch for CVE‑2026‑0300).
TPRM Impact — Compromise of a firewall gives attackers full visibility into network traffic, the ability to exfiltrate data, and to pivot into downstream systems, creating a severe supply‑chain risk for any organization that relies on Palo Alto firewalls as a security control.
Recommended Actions —
- Deploy Palo Alto’s emergency patch for CVE‑2026‑0300 immediately.
- Block external access to the User‑ID Authentication Portal service until patched.
- Enable strict logging and alerting on authentication portal traffic and anomalous command execution.
- Update IDS/IPS signatures and threat‑intel feeds to detect exploitation attempts.
- Conduct a rapid risk assessment of all third‑party relationships that depend on PAN‑OS firewalls and verify remediation status.
Source: The Hacker News