Zero‑Day RCE in Palo Alto PAN‑OS (CVE‑2026‑0300) Exploited by State‑Sponsored Actors Threatens Enterprise Perimeters
What It Is – A newly disclosed buffer‑overflow (CVE‑2026‑0300) in the User‑ID Authentication Portal of Palo Alto Networks’ PAN‑OS allows unauthenticated attackers to achieve remote code execution on internet‑facing firewalls. Active exploitation has been observed in the wild, with threat‑intel linking the activity to state‑backed groups.
Exploitability – Exploits are confirmed in the wild; proof‑of‑concept packets have been shared by Palo Alto’s Unit 42. No vendor patch is available yet; CVSS v3.1 is estimated at 9.8 (Critical).
Affected Products – Palo Alto Networks PA‑Series hardware firewalls and VM‑Series virtual firewalls running PAN‑OS versions that expose the User‑ID Authentication Portal.
TPRM Impact –
- Compromise of a perimeter firewall can give attackers lateral movement into downstream corporate networks, exposing third‑party data.
- Persistent tunneling tools (EarthWorm, ReverseSocks5) enable long‑term access, increasing supply‑chain risk for any organization that relies on Palo Alto firewalls as a security control.
Recommended Actions –
- Immediately disable the User‑ID Authentication Portal if it is not required.
- Restrict portal access to trusted zones only and disable Response Pages on any L3 interface exposed to untrusted traffic.
- Deploy Palo Alto‑provided Threat Prevention signatures (requires a Threat Prevention subscription).
- Apply the published Indicators of Compromise (IOCs) to detect prior compromise.
- Accelerate internal change‑management to push the forthcoming patch as soon as it is released.
- Conduct a post‑compromise forensic review of firewall logs for evidence of the multi‑stage intrusion described by Unit 42.
Source: Help Net Security – State‑sponsored hackers likely behind zero‑day attacks on Palo Alto firewalls