PAN-OS Zero-Day Under Active Exploitation

Palo Alto Networks has disclosed CVE-2026-0300, a critical out-of-bounds write vulnerability in the User-ID Authentication Portal (Captive Portal) of PAN-OS. The flaw allows an unauthenticated attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted packets. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on 6 May with a three-day remediation deadline of 9 May, signalling the urgency.

Palo Alto Networks has confirmed limited exploitation in the wild, specifically targeting User-ID Authentication Portals exposed to untrusted IP addresses or the public internet. Organisations that restrict the portal to trusted internal networks, as per long-standing best practice, face significantly reduced risk. Prisma Access, Cloud NGFW, and Panorama appliances are not affected.

The vulnerability spans a wide range of PAN-OS versions: 10.2 through 12.1. A hotfix is not yet available. Palo Alto has released Threat ID 510019 (content version 9097-10022) for customers with a Threat Prevention subscription running PAN-OS 11.1 or later. For everyone else, the immediate mitigation is to restrict User-ID Authentication Portal access to trusted zones only or disable it entirely if not required.

Also added to the KEV catalog this week: CVE-2026-6973, an improper input validation flaw in Ivanti Endpoint Manager Mobile (EPMM) that allows a remotely authenticated admin user to achieve remote code execution. Ivanti published its advisory on 7 May. The requirement for admin credentials makes this less immediately exploitable than the PAN-OS flaw, but it remains a concern for any organisation running EPMM with exposed admin interfaces.

What to Do Now

For PAN-OS: Audit all firewall configurations for User-ID Authentication Portal exposure. If the portal is reachable from untrusted networks, restrict it to trusted zones immediately. Enable Threat ID 510019 if you run Threat Prevention on PAN-OS 11.1+. Track the Palo Alto advisory for the upcoming patch and plan emergency maintenance windows. For Ivanti EPMM: apply the vendor patch and review admin access controls.