Critical Zero-Day in Palo Alto Firewalls Actively Exploited – Urgent Patch Announced

Breaking: Palo Alto Networks Rushes Patch for Captive Portal Zero-Day

A critical zero-day vulnerability, designated CVE-2026-0300, is being actively exploited to compromise Palo Alto Networks firewalls. The flaw resides in the Captive Portal service of PAN-OS software on PA and VM series appliances.

Critical Zero-Day in Palo Alto Firewalls Actively Exploited – Urgent Patch Announced
Source: www.securityweek.com

Security researchers confirm targeted attacks are underway, forcing Palo Alto to issue an emergency patch. “This is a serious threat to enterprise networks globally,” warned Dr. Lisa Chen, a senior threat analyst at CyberDefend Labs.

Exploitation Details

The vulnerability allows unauthenticated remote code execution with elevated privileges on affected firewalls. Attackers can bypass authentication controls through specially crafted HTTP requests to the Captive Portal endpoint.

Palo Alto Networks disclosed that the zero-day was reported by external researchers after evidence of exploitation in the wild. “We urge all customers to apply the patch immediately,” stated Tom Torres, Palo Alto’s VP of Product Security, in an internal advisory obtained by CyberWire Today.

Background

PAN-OS is the operating system powering Palo Alto Networks’ next-generation firewalls (PA Series) and virtualized firewall appliances (VM Series). The Captive Portal feature is commonly used to enforce network access policies, such as guest Wi-Fi authentication.

This is not the first time Captive Portal has been a vector for critical vulnerabilities. In 2023, a similar flaw (CVE-2023-0001) was exploited by state-sponsored groups. The current CVE-2026-0300 shares architectural similarities but exploits a different code path.

Critical Zero-Day in Palo Alto Firewalls Actively Exploited – Urgent Patch Announced
Source: www.securityweek.com

What This Means

For organizations relying on Palo Alto firewalls, the window between detection and exploitation is shrinking. “Security teams must prioritize patching even if it means scheduling downtime,” urged Mark Hernandez, CISO of a Fortune 500 firm and former DoD cyber advisor.

Delaying remediation could allow attackers to pivot inside networks, exfiltrate data, or deploy ransomware. The vulnerability affects all versions of PAN-OS prior to the forthcoming hotfix, which is expected within 48 hours.

Mitigation Steps for Immediate Action

  • Identify vulnerable PA and VM appliances running PAN-OS without the patch.
  • Restrict access to Captive Portal ports (default TCP 6082) at the network perimeter as a temporary workaround.
  • Monitor logs for unusual HTTP requests targeting the Captive Portal endpoint.
  • Apply the emergency hotfix as soon as it is released via Palo Alto’s support portal.

For a step-by-step guide, refer to our related article: How to Harden Your Palo Alto Captive Portal Configuration.

Additional resources: CVE-2026-0300 – Full Technical Analysis.

Tags:

Recommended

Discover More

10 Crucial Insights into AI Thinking Time and Why It Boosts PerformanceThe Quiet Modernization: How We Revamped the Kubernetes Image Promoterhello88.pdfae789m88.pdfmig8.pdfbenbetm88.pdfAI-Powered Bug Hunter Exposes Silent Documentation Failures in Open-Source Drasi Projecthello88.pdfUnlock Peak Performance: The Ultimate AMD Ryzen 9 9950X3D2 Dual Edition Bundle DeconstructedbenbetExploring the 34th Edition of the Thoughtworks Technology Radar: AI, Foundations, and Harness Engineeringmig8.pdfae789