A recently disclosed vulnerability in Palo Alto Networks firewall appliances is under active, though apparently limited, attack. On Wednesday, CISA added the flaw behind the attacks to its Known Exploited Vulnerabilities Catalog.
Researchers with Palo Alto’s Unit 42 threat intelligence team say they have observed targeted exploitation against internet-exposed PA-Series and VM-Series firewall appliances running vulnerable versions of PAN-OS software. The flaw, tracked as CVE-2026-0300, is a critical buffer overflow vulnerability with a CVSS 4.0 score of 9.3 that allows unauthenticated remote code execution with root privileges.
Unit 42 Tracks Likely State-Sponsored Exploitation
“Unit 42 is tracking CL-STA-1132, a cluster of likely state-sponsored threat activity exploiting CVE-2026-0300,” the team explained.
“The attacker behind this activity exploited CVE-2026-0300 to achieve unauthenticated remote code execution in PAN-OS software. Upon successful exploitation, the attacker was able to inject shellcode into an nginx worker process.”
PAN-OS is the underlying operating system used across Palo Alto Networks’ firewall platform and is widely deployed inside enterprises, government agencies, cloud environments and critical infrastructure networks. Palo Alto says it has more than 70,000 customers globally, including much of the Fortune 100.
The flaw is tied to the User-ID Authentication Portal, also known as the Captive Portal, a feature commonly used to authenticate guest users, contractors and unmanaged devices when the firewall cannot automatically map a user identity to network traffic. Researchers said the vulnerability affects multiple currently supported PAN-OS branches, including 10.2, 11.1, 11.2 and 12.1 releases.
Palo Alto Networks said an unauthenticated remote attacker can exploit vulnerable systems by sending specially crafted packets to exposed captive portal interfaces, allowing arbitrary code execution with root privileges on affected PA-Series and VM-Series firewalls. Cloud NGFW, Prisma Access and Panorama are not affected.
In short: Complete pwnage through an exposed captive portal. Successful exploitation could allow attackers to fully compromise the firewall, steal credentials, move laterally across internal networks, intercept traffic, tamper with security controls and establish long-term persistence inside enterprise environments.
As for the attackers themselves, Palo Alto is not publicly attributing the activity to a known nation-state or hacking group. Unit 42 describes CL-STA-1132 only as a “likely state-sponsored” cluster. Researchers say the activity showed signs of operational discipline, low-volume targeting and stealth-focused behavior more consistent with espionage operations than smash-and-grab cybercrime. Initial exploitation attempts reportedly date back to early April.
Mitigations Available While Patches Remain Pending
Steps toward mitigating exposure include restricting the User-ID Authentication Portal to trusted internal networks and disabling Response Pages on interfaces exposed to untrusted or internet-facing traffic. Palo Alto said the issue applies only to PA-Series and VM-Series firewalls configured to use the User-ID Authentication Portal.
That caveat somewhat narrows the blast radius. This is not a bug affecting every deployed Palo Alto firewall. But affected PAN-OS branches remain widely used across enterprise environments, particularly among organizations that have not yet upgraded from long-lived 10.2 and 11.x deployments still common in production networks.
Palo Alto has not fully patched all affected versions as of Thursday morning. The company said the first fixes are expected May 13 for some PAN-OS branches, with additional patches arriving May 28 for others. In the meantime, the company says customers who disable or isolate exposed captive portals and enable Threat ID 510019 protections through Advanced Threat Prevention can significantly reduce risk.
Attackers Used Open-Source Tools to Blend In and Evade Detection
Unit 42 says that after exploiting the firewall vulnerability, the attackers opted to use open-source penetration testing tools rather than proprietary malware. Researchers said the approach helped the intrusions blend into legitimate administrative activity and complicated attribution efforts.
“This technical choice, combined with a disciplined operational cadence of intermittent interactive sessions over a multiweek period, intentionally remained below the behavioral thresholds of most automated alerting systems,” Unit 42 explained.
Put more simply, the attackers moved slowly, used common admin-style tooling and avoided noisy malware behavior that would typically trigger automated detection systems.
“The lateral movement technique prioritized identity trust abuse over traditional network-layer pivoting, effectively reducing the attacker’s footprint.”
In practice, that means the attackers appeared to rely more heavily on stolen credentials, Active Directory trust relationships and legitimate authentication paths than aggressive scanning or obvious network tunneling activity. That approach tends to generate fewer alarms because much of the traffic can resemble normal administrator behavior.
Unit 42 said the attackers also conducted Active Directory enumeration using credentials likely obtained from the firewall, underscoring that the firewall compromise was not the endgame. It was the opening move.
Researchers have not disclosed how many organizations were compromised, whether data theft occurred or whether the attackers maintained persistent access after initial exploitation. But the operational style — quiet movement, credential harvesting and restrained tooling — suggests the focus may have been long-term network access rather than immediate disruption or ransomware deployment.
Third-party security firms quickly echoed Palo Alto’s warning, with researchers at Wiz, Arctic Wolf, Rapid7 and eSentire all publishing separate analyses confirming the severity of the flaw and the risk posed by internet-exposed captive portals.
Rapid7 noted that the vulnerable User-ID Authentication Portal is not enabled by default, somewhat limiting exposure, but warned that organizations using the feature should assume heightened attacker interest given the combination of remote, unauthenticated access and root-level code execution.
So far, the U.S. Cybersecurity and Infrastructure Security Agency has not added CVE-2026-0300 to its Known Exploited Vulnerabilities Catalog, despite Palo Alto confirming limited exploitation in the wild.
That may change if attacks broaden.
Within the cybersecurity community, the reaction has been cautious but familiar. PAN-OS vulnerabilities — particularly those involving internet-facing management or authentication components — have repeatedly attracted rapid attacker attention over the past several years, including exploitation campaigns tied to both ransomware groups and state-backed operators.
Several researchers on social media and industry forums compared the situation less to opportunistic mass scanning and more to the early phase of a targeted espionage campaign: limited victims, disciplined operations and careful use of legitimate administrative tooling designed to avoid detection.
Defenders Race the Clock on Incomplete Patch Coverage
The concern now is timing.
Because complete fixes for some PAN-OS branches are still pending, defenders are in the awkward position of relying heavily on mitigations, segmentation and threat prevention signatures while waiting for patches to fully land across supported versions.
Shaun Nichols is an IT news journalist. He has spent nearly 20 years covering the industry with a specialty in the cybersecurity
