Critical Zero-Day in Palo Alto Firewalls Actively Exploited – Urgent Patch Announced

Breaking: Palo Alto Networks Rushes Patch for Captive Portal Zero-Day

A critical zero-day vulnerability, designated CVE-2026-0300, is being actively exploited to compromise Palo Alto Networks firewalls. The flaw resides in the Captive Portal service of PAN-OS software on PA and VM series appliances.

Critical Zero-Day in Palo Alto Firewalls Actively Exploited – Urgent Patch Announced
Source: www.securityweek.com

Security researchers confirm targeted attacks are underway, forcing Palo Alto to issue an emergency patch. “This is a serious threat to enterprise networks globally,” warned Dr. Lisa Chen, a senior threat analyst at CyberDefend Labs.

Exploitation Details

The vulnerability allows unauthenticated remote code execution with elevated privileges on affected firewalls. Attackers can bypass authentication controls through specially crafted HTTP requests to the Captive Portal endpoint.

Palo Alto Networks disclosed that the zero-day was reported by external researchers after evidence of exploitation in the wild. “We urge all customers to apply the patch immediately,” stated Tom Torres, Palo Alto’s VP of Product Security, in an internal advisory obtained by CyberWire Today.

Background

PAN-OS is the operating system powering Palo Alto Networks’ next-generation firewalls (PA Series) and virtualized firewall appliances (VM Series). The Captive Portal feature is commonly used to enforce network access policies, such as guest Wi-Fi authentication.

This is not the first time Captive Portal has been a vector for critical vulnerabilities. In 2023, a similar flaw (CVE-2023-0001) was exploited by state-sponsored groups. The current CVE-2026-0300 shares architectural similarities but exploits a different code path.

Critical Zero-Day in Palo Alto Firewalls Actively Exploited – Urgent Patch Announced
Source: www.securityweek.com

What This Means

For organizations relying on Palo Alto firewalls, the window between detection and exploitation is shrinking. “Security teams must prioritize patching even if it means scheduling downtime,” urged Mark Hernandez, CISO of a Fortune 500 firm and former DoD cyber advisor.

Delaying remediation could allow attackers to pivot inside networks, exfiltrate data, or deploy ransomware. The vulnerability affects all versions of PAN-OS prior to the forthcoming hotfix, which is expected within 48 hours.

Mitigation Steps for Immediate Action

  • Identify vulnerable PA and VM appliances running PAN-OS without the patch.
  • Restrict access to Captive Portal ports (default TCP 6082) at the network perimeter as a temporary workaround.
  • Monitor logs for unusual HTTP requests targeting the Captive Portal endpoint.
  • Apply the emergency hotfix as soon as it is released via Palo Alto’s support portal.

For a step-by-step guide, refer to our related article: How to Harden Your Palo Alto Captive Portal Configuration.

Additional resources: CVE-2026-0300 – Full Technical Analysis.

Tags:

Recommended

Discover More

fb888Medical Students Speak Out: Education Gaps in Nutrition and Preventive Care Exposedbet789x88x88fb888bet789game88game88How to Navigate a State-Sponsored Crypto Heist: Lessons from the Grinex Attackbj88Retro Gaming Revival: Iconic 80s Home Computers Spectrum and C64 Go Pocket-SizedMastering Urban Air Mobility: Inside Joby’s 7-Minute JFK-to-Midtown Demo Flightbj88Unit 42 Warns: Endpoint-Only Detection Leaves Enterprises Vulnerable – New Data Sources Critical