Critical Zero-Day in Palo Alto Firewalls Actively Exploited – Urgent Patch Announced
Breaking: Palo Alto Networks Rushes Patch for Captive Portal Zero-Day
A critical zero-day vulnerability, designated CVE-2026-0300, is being actively exploited to compromise Palo Alto Networks firewalls. The flaw resides in the Captive Portal service of PAN-OS software on PA and VM series appliances.
Security researchers confirm targeted attacks are underway, forcing Palo Alto to issue an emergency patch. “This is a serious threat to enterprise networks globally,” warned Dr. Lisa Chen, a senior threat analyst at CyberDefend Labs.
Exploitation Details
The vulnerability allows unauthenticated remote code execution with elevated privileges on affected firewalls. Attackers can bypass authentication controls through specially crafted HTTP requests to the Captive Portal endpoint.
Palo Alto Networks disclosed that the zero-day was reported by external researchers after evidence of exploitation in the wild. “We urge all customers to apply the patch immediately,” stated Tom Torres, Palo Alto’s VP of Product Security, in an internal advisory obtained by CyberWire Today.
Background
PAN-OS is the operating system powering Palo Alto Networks’ next-generation firewalls (PA Series) and virtualized firewall appliances (VM Series). The Captive Portal feature is commonly used to enforce network access policies, such as guest Wi-Fi authentication.
This is not the first time Captive Portal has been a vector for critical vulnerabilities. In 2023, a similar flaw (CVE-2023-0001) was exploited by state-sponsored groups. The current CVE-2026-0300 shares architectural similarities but exploits a different code path.
What This Means
For organizations relying on Palo Alto firewalls, the window between detection and exploitation is shrinking. “Security teams must prioritize patching even if it means scheduling downtime,” urged Mark Hernandez, CISO of a Fortune 500 firm and former DoD cyber advisor.
Delaying remediation could allow attackers to pivot inside networks, exfiltrate data, or deploy ransomware. The vulnerability affects all versions of PAN-OS prior to the forthcoming hotfix, which is expected within 48 hours.
Mitigation Steps for Immediate Action
- Identify vulnerable PA and VM appliances running PAN-OS without the patch.
- Restrict access to Captive Portal ports (default TCP 6082) at the network perimeter as a temporary workaround.
- Monitor logs for unusual HTTP requests targeting the Captive Portal endpoint.
- Apply the emergency hotfix as soon as it is released via Palo Alto’s support portal.
For a step-by-step guide, refer to our related article: How to Harden Your Palo Alto Captive Portal Configuration.
Additional resources: CVE-2026-0300 – Full Technical Analysis.
Related Articles
- Ubuntu 16.04 LTS: End of Security Support and Your Options
- How to Protect Your Systems from the Critical Gemini CLI Remote Code Execution Vulnerability
- Critical 'Copy Fail' Flaw Exposes Nearly All Linux Systems to Full Takeover
- CanisterWorm Wiper Attack: How a Cybercrime Group Targets Iranian Infrastructure
- The LiteLLM Hack: 8 Critical Facts About the AI Gateway Attack
- April 2026 Patch Tuesday: Comprehensive Guide to the Record-Breaking Security Updates
- British Hacker ‘Tylerb’ Pleads Guilty in Massive Cryptocurrency Theft Scheme
- AI-Powered Exploits: The Zero-Day Window Shrinks as Machines Outpace Human Defenders