Palo Alto Networks — CVE-2026-0300 PAN-OS Firewall Zero-Day Actively Exploited

AI relevance: Organizations running AI inference pipelines, model-serving infrastructure, and agentic tooling behind PAN-OS firewalls face direct exposure — root-level firewall compromise enables lateral movement to model servers, training data stores, and agent orchestration systems.

Palo Alto Networks has confirmed active exploitation of CVE-2026-0300, a critical buffer overflow in the PAN-OS User-ID Authentication Portal (aka Captive Portal). The flaw allows unauthenticated, network-reachable attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted packets.

Key details

• CVSS 4.0 score: 9.3 (Critical) — network-attackable, no authentication, no user interaction, automatable.
• Limited exploitation has been observed targeting User-ID Authentication Portals exposed to untrusted IPs or the public internet.
• Shadowserver tracks over 5,800 PAN-OS VM-Series firewalls exposed online, with the largest concentrations in Asia (2,466) and North America (1,998).
• No patch available yet. Fixes are ETA May 13 for some release branches and May 28 for others across PAN-OS 10.2, 11.1, 11.2, and 12.1.
• Prisma Access, Cloud NGFW, and Panorama appliances are not affected.
• This follows a pattern: PAN-OS firewalls have been repeatedly targeted with zero-days — November 2024 saw two chained zero-days compromise thousands of firewalls, followed by a DoS flaw in December and three more exploited flaws in February 2025.

Why it matters for AI operations

Palo Alto Networks serves 70,000+ customers including 90% of Fortune 10 companies and most major US banks — many of whom now run production AI workloads behind these firewalls. A root-level firewall compromise provides:

• Direct network-level access to internal AI infrastructure (model servers, vector databases, agent orchestration platforms).
• Ability to intercept or modify traffic between AI agents and their tool integrations (MCP servers, APIs, data stores).
• Potential for training data exfiltration or model weight theft from internal repositories.
• Platform for lateral movement into Kubernetes clusters hosting inference workloads.

What to do

• Immediately verify whether your PAN-OS firewalls have the User-ID Authentication Portal enabled (Device > User Identification > Authentication Portal Settings).
• Restrict access to the portal to trusted internal zones only, or disable it entirely if not needed.
• Audit exposed firewalls — check Shadowserver and your own asset inventory for any PA/VM-Series instances with internet-facing management interfaces.
• Monitor for indicators of compromise on firewalls protecting AI infrastructure, including unexpected root-level process execution and outbound data transfers from model servers.
• Plan to patch as soon as fixes arrive (ETA May 13–28 depending on release branch).

Sources

• Palo Alto Networks — CVE-2026-0300 Advisory
• BleepingComputer — Palo Alto Networks warns of firewall RCE zero-day
• CVE Record — CVE-2026-0300
• Shadowserver — PAN-OS VM-Series exposure dashboard