SANTA CLARA, California, May 7, 2026, 15:02 PDT
- Palo Alto Networks reported that threat actors have taken advantage of the critical PAN-OS firewall vulnerability, CVE-2026-0300.
- Customers will have to rely on mitigations for the time being, with fixes scheduled to roll out in phases starting May 13.
- Palo Alto shares climbed along with the rest of the cybersecurity group, even as the warning landed during a wider sector rally.
Palo Alto Networks flagged a critical vulnerability in its PAN-OS firewall software and told customers attackers have already exploited it. The company’s initial software patches aren’t set to arrive until May 13.
CVE-2026-0300, the bug in question, hits the User-ID Authentication Portal—or Captive Portal—on both PA-Series and VM-Series firewalls. Palo Alto Networks slapped it with a critical rating and a 9.3 severity score. The issue? Attackers without credentials could potentially execute code as root, handing them total control of any affected device, if they send specially crafted network packets.
The issue hits right at the network edge—these products sit between internal systems and the internet, where firewalls do the heavy lifting. With a zero-day like this, no complete patch is ready, so customers are stuck using workarounds for at least several days.
Palo Alto’s Unit 42 research team is calling the activity CL-STA-1132, describing it as a probable state-sponsored cluster. So far, they’ve only observed limited exploitation, according to their report. Attackers exploited the bug for remote code execution—RCE—executing commands remotely before planting shellcode in an nginx worker process and wiping logs along with other traces, the researchers said.
Rapid7 flagged that the vulnerability hits PA-Series and VM-Series appliances if the Authentication Portal is turned on; Prisma Access, Cloud NGFW, and Panorama don’t fall under that risk. Shodan, according to the security firm, turned up roughly 225,000 internet-facing PAN-OS instances—a number that signals broad exposure, though it doesn’t mean every system is at risk.
The U.S. Cybersecurity and Infrastructure Security Agency put the flaw on its Known Exploited Vulnerabilities list on May 6, according to Cybersecurity Dive. Palo Alto notified customers that initial patches are slated for May 13, with further updates coming May 28.
Palo Alto Networks is advising customers to limit Authentication Portal access to trusted internal zones for the time being, or to disable response pages on interfaces exposed to the internet. If the portal isn’t needed, just turn it off. The company also mentioned that users with a Threat Prevention subscription have the option to enable Threat ID 510019.
Security experts warn the patch gap is raising risk levels. “Treat every internet-exposed PA-Series and VM-Series firewall as a compromise candidate until forensics prove otherwise,” Collin Hogue-Spears, senior director of solution management at Black Duck, told SC Media. Polygraf AI chief executive Yagub Rahimov described the activity as “a clear targeted operation.” SC Media
The real danger doesn’t stop at the first intrusion. According to Unit 42, after getting inside, attackers relied on open-source tunneling software like EarthWorm and ReverseSocks5. From there, they pivoted toward Active Directory—the Microsoft platform central to user and access controls in most organizations. That escalation can shift a simple firewall compromise into a much larger identity security mess.
But it all comes down to how many customers left the portal open to untrusted networks—and how quickly those mitigations get implemented. If attackers ramp up scanning activity before patches land, Palo Alto may be staring at a bigger cleanup and a tougher round of reputational questions, even with the company’s advisory pointing out that customers sticking to standard practice face less risk.
Palo Alto Networks saw its stock jump roughly 7% Thursday, changing hands close to $196.53. Cybersecurity stocks broadly moved higher, buoyed by Fortinet’s strong earnings and renewed investor appetite for AI-driven security software. According to MarketWatch, CrowdStrike and Zscaler posted gains as well, with Fortinet’s results lifting sentiment across the sector.
On one hand, a firewall exploit was running live. On the other, sector trades stayed lively. For Palo Alto Networks, the immediate concern isn’t so much what the stock does, but whether clients can actually seal the open portals ahead of the patch cycle.
