A critical, unauthenticated remote code execution vulnerability in Palo Alto Networks firewalls is being actively exploited by state-sponsored attackers right now — and patches are not yet available. If your business uses a Palo Alto PA-Series or VM-Series firewall, action is required immediately.

What Happened

On May 6, 2026, Palo Alto Networks disclosed CVE-2026-0300, a critical buffer overflow vulnerability (CWE-787) in the User-ID Authentication Portal (Captive Portal) service of PAN-OS — the operating system that runs all Palo Alto PA-Series and VM-Series firewalls.

CVE ID	CVE-2026-0300
CVSS Score	9.3 / 10 — Critical (CVSSv4.0)
Vulnerability Type	Buffer Overflow / Out-of-bounds Write (CWE-787)
Authentication Required	None — unauthenticated attack
User Interaction Required	None
Disclosure Date	May 6, 2026
CISA KEV Added	May 6, 2026
Actively Exploited	✅ Yes — confirmed by Palo Alto Unit 42
Patches Available	⚠️ Not yet — first wave expected May 13, 2026

The vulnerability resides in how PAN-OS handles incoming packets to the Authentication Portal service. An attacker can send specially crafted network packets that overflow a memory buffer, injecting shellcode into an nginx worker process running on the firewall — with root privileges. No login credentials are needed. No user interaction is required. Exploitation can be automated.

Palo Alto Networks’ own threat research team, Unit 42, confirmed active exploitation by a threat cluster designated CL-STA-1132 — assessed as a likely state-sponsored group. After gaining root access to compromised firewalls, this group deployed open-source tunneling tools (EarthWorm and ReverseSocks5) to establish persistent covert channels, performed Active Directory enumeration using credentials harvested directly from the firewall, moved laterally through victim networks using SAML authentication abuse, and systematically deleted log files and forensic evidence to hinder detection and response.

Affected Systems

The vulnerability affects all Palo Alto Networks PA-Series hardware firewalls and VM-Series virtual firewalls running PAN-OS with the User-ID Authentication Portal feature enabled and accessible from untrusted networks. Specific vulnerable version ranges include:

• PAN-OS 10.2.x — all versions prior to 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6
• PAN-OS 11.1.x — all versions prior to 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15
• PAN-OS 11.2.x — all versions prior to 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12
• PAN-OS 12.1.x — all versions prior to 12.1.4-h5 and 12.1.7

Not affected: Prisma Access, Cloud NGFW, Panorama appliances, and any firewall where the User-ID Authentication Portal is disabled or restricted to trusted internal zones only.

Who Is at Risk

This vulnerability is particularly relevant to small and medium-sized businesses that:

• Use Palo Alto Networks PA-Series hardware firewalls as their primary network perimeter security device
• Have deployed VM-Series virtual firewalls in on-premises data centers or private cloud environments
• Enabled the User-ID Authentication Portal (Captive Portal) feature — commonly used for guest Wi-Fi, employee identity verification, or user-based policy enforcement
• Have not restricted Authentication Portal access to internal IP ranges only

Palo Alto firewalls are widely deployed by mid-market and growing SMBs that have outgrown basic consumer-grade firewalls and invested in enterprise-class network security. Industries commonly running this equipment include professional services firms, healthcare practices, financial services, legal offices, manufacturing companies, and technology businesses — all of which are also high-value targets for ransomware and data theft.

SMB Impact: What This Means for Your Business

A firewall is supposed to be the front line of your network defense — the barrier between the public internet and everything else. CVE-2026-0300 effectively eliminates that barrier.

When an attacker achieves unauthenticated root access to your firewall, the consequences cascade rapidly:

• Complete network visibility. The attacker can see all traffic flowing through the firewall — encrypted or not — including credentials, financial data, and communications.
• Lateral movement into your network. CL-STA-1132 specifically used stolen firewall credentials to enumerate your Active Directory, map your servers, and move laterally to high-value systems.
• Ransomware deployment risk. A compromised perimeter device is a prime staging point for ransomware actors to deploy payloads across the entire network.
• Data exfiltration. Tunneling tools like EarthWorm provide persistent, covert outbound channels attackers use to steal data over time.
• Destroyed evidence. Because CL-STA-1132 deletes logs from compromised firewalls, affected organizations may not know they were breached until damage is already done.
• Regulatory exposure. For businesses handling personal data, healthcare records, or financial information, a breach traced to an unpatched, known-exploited vulnerability could carry significant compliance and legal consequences.

The CISA Known Exploited Vulnerabilities (KEV) catalog listing on the same day as disclosure — May 6, 2026 — signals that this is not a theoretical risk. CISA only adds vulnerabilities to KEV when active exploitation is confirmed.

Remediation Checklist: What to Do Right Now

Because patches are not yet released (first wave expected around May 13, 2026), immediate mitigation steps are the only option available today. Work through this checklist in order:

1. Determine your exposure. Log in to your Palo Alto firewall and navigate to Device > User Identification > Authentication Portal Settings. If “Enable Authentication Portal” is unchecked, your firewall does not have this attack surface exposed. If it is checked, proceed to step 2 immediately.
2. Restrict Authentication Portal access to trusted zones only. If the portal is enabled and necessary for operations, follow Palo Alto’s best practice guidance to limit portal access to trusted internal IP ranges only. Do not allow the Authentication Portal to be reachable from the internet or any untrusted network segment. Reference: Palo Alto Knowledge Base.
3. Disable the Authentication Portal if it is not actively needed. Navigate to Device > User Identification > Authentication Portal Settings and uncheck “Enable Authentication Portal.” If your organization does not actively rely on this feature, disabling it eliminates the attack surface entirely.
4. Enable the Threat Prevention signature (PAN-OS 11.1+ only). If you are running PAN-OS 11.1 or later, enable Threat Prevention Signature Threat ID 510019, released in Applications and Threats content version 9097-10022 on May 5, 2026. This signature actively blocks known exploitation attempts.
5. Review firewall logs for signs of compromise. Look for anomalous inbound traffic patterns to the Captive Portal service and unexpected process activity on the firewall. If your firewall was internet-exposed with the Authentication Portal enabled, treat it as potentially compromised until mitigated and investigated.
6. Look for post-exploitation indicators. If compromise is suspected, look for: EarthWorm or ReverseSocks5 tools present on the firewall, unexpected outbound connections from the firewall, Active Directory enumeration activity originating from firewall service account credentials, and deleted or modified log files.
7. Apply patches as soon as they are released. Monitor the official Palo Alto Security Advisory at security.paloaltonetworks.com/CVE-2026-0300 for patch release confirmation. The first wave of hotfixes is expected around May 13, 2026. Apply patches promptly once confirmed available.
8. After patching, maintain zone restrictions. Even on patched versions, the Authentication Portal should never be internet-facing. Enforce internal zone restrictions as a permanent configuration standard.
9. Audit all firewall instances in your environment. If you manage multiple Palo Alto firewalls, document which are running affected PAN-OS versions and which have Authentication Portal enabled. Prioritize internet-exposed instances.
10. Rotate firewall service account credentials. If your firewall was internet-exposed with the portal enabled, rotate Active Directory credentials associated with the firewall service account immediately. CL-STA-1132 specifically targeted these credentials for lateral movement.

Strategic Recommendations

Beyond the immediate remediation steps above, this vulnerability underscores several longer-term security posture improvements worth prioritizing:

• Establish a vulnerability management program. CVE-2026-0300 was added to CISA KEV and confirmed actively exploited on the same day it was disclosed. Organizations without a process for monitoring security advisories and acting quickly are always playing catch-up. A formal vulnerability management process ensures critical issues get appropriate urgency.
• Enforce least-privilege access on all network infrastructure. The firewall service account credentials harvested by CL-STA-1132 gave attackers a direct path into Active Directory. Network appliances should operate with tightly scoped service accounts — not broad administrative credentials.
• Implement 24/7 threat monitoring and detection. This attack cluster deliberately destroyed forensic evidence. Without continuous log monitoring and alerting, many organizations would have no visibility into a breach of this nature until business impact made it obvious.
• Maintain regular firewall configuration audits. Features like the Authentication Portal are often enabled during initial setup and forgotten. Periodic reviews of firewall configuration against vendor best practices help close these kinds of exposure gaps before they become emergencies.
• Keep network security appliances on a patching cadence. Firewalls and other network infrastructure devices are frequently overlooked in patching programs that focus on workstations and servers. These devices are high-value targets precisely because they sit at the network perimeter — patch them with the same urgency as everything else.
• Segment your network. A firewall compromise should not mean automatic access to every server, workstation, and data store in your environment. Network segmentation limits lateral movement and reduces the blast radius of any perimeter breach.

How Lone Wolf Networks Can Help

For businesses in the Temecula area and throughout Southern California, managing firewall configurations, tracking emerging CVEs, and responding to active threats is exactly what Lone Wolf Networks’ managed IT and cybersecurity services are designed to address.

If you have Palo Alto firewalls in your environment, our team can:

• Audit your firewall configuration to determine whether the Authentication Portal is enabled and exposed, and implement immediate mitigations if needed.
• Provide 24/7 network security monitoring through our managed threat monitoring service, so anomalous activity — like the tunneling and AD enumeration behavior described above — is detected and flagged promptly rather than discovered weeks after the fact.
• Manage your patch deployment schedule so that when Palo Alto releases the CVE-2026-0300 hotfixes around May 13, they are applied to your environment promptly and without disruption to your operations.
• Conduct a vulnerability assessment of your broader network security posture, identifying other configuration gaps that might be exposed but not yet actively targeted.
• Advise on network segmentation strategy through our vCIO and IT strategy services, reducing the blast radius of any future perimeter breach.
• Implement endpoint detection and response (EDR) on workstations and servers, providing an additional layer of visibility if an attacker does succeed in moving laterally from a compromised network device.

You shouldn’t have to monitor Palo Alto’s security advisory page and CISA’s KEV catalog yourself — that’s what a managed security partner is for. Contact Lone Wolf Networks to discuss how we can keep your network protected as the threat landscape evolves.

References

1. CVE-2026-0300 PAN-OS: Unauthenticated Buffer Overflow in User-ID Authentication Portal — Palo Alto Networks Security Advisory (May 6, 2026)
2. Unit 42 Threat Brief: CL-STA-1132 Exploiting Captive Portal Zero-Day (CVE-2026-0300) — Palo Alto Networks Unit 42 (May 7, 2026)
3. CISA Adds One Known Exploited Vulnerability to Catalog — CVE-2026-0300 — CISA (May 6, 2026)
4. CISA Known Exploited Vulnerabilities Catalog — CISA
5. CVE-2026-0300 Detail — NIST National Vulnerability Database (May 6, 2026)
6. ETR: Critical Buffer Overflow in Palo Alto Networks PAN-OS User-ID Authentication Portal (CVE-2026-0300) — Rapid7 (May 6, 2026)
7. Root-level RCE Vulnerability in Palo Alto Firewalls Exploited (CVE-2026-0300) — Help Net Security (May 6, 2026)
8. CVE-2026-0300 Palo Alto Networks PAN-OS Buffer Overflow — Overview and Takeaways — NetSPI (May 7, 2026)