Critical Zero-Day in Palo Alto Firewalls Actively Exploited – Urgent Patch Announced

By

Breaking: Palo Alto Networks Rushes Patch for Captive Portal Zero-Day

A critical zero-day vulnerability, designated CVE-2026-0300, is being actively exploited to compromise Palo Alto Networks firewalls. The flaw resides in the Captive Portal service of PAN-OS software on PA and VM series appliances.

Security researchers confirm targeted attacks are underway, forcing Palo Alto to issue an emergency patch. “This is a serious threat to enterprise networks globally,” warned Dr. Lisa Chen, a senior threat analyst at CyberDefend Labs.

Exploitation Details

The vulnerability allows unauthenticated remote code execution with elevated privileges on affected firewalls. Attackers can bypass authentication controls through specially crafted HTTP requests to the Captive Portal endpoint.

Palo Alto Networks disclosed that the zero-day was reported by external researchers after evidence of exploitation in the wild. “We urge all customers to apply the patch immediately,” stated Tom Torres, Palo Alto’s VP of Product Security, in an internal advisory obtained by CyberWire Today.

Background

PAN-OS is the operating system powering Palo Alto Networks’ next-generation firewalls (PA Series) and virtualized firewall appliances (VM Series). The Captive Portal feature is commonly used to enforce network access policies, such as guest Wi-Fi authentication.

This is not the first time Captive Portal has been a vector for critical vulnerabilities. In 2023, a similar flaw (CVE-2023-0001) was exploited by state-sponsored groups. The current CVE-2026-0300 shares architectural similarities but exploits a different code path.

What This Means

For organizations relying on Palo Alto firewalls, the window between detection and exploitation is shrinking. “Security teams must prioritize patching even if it means scheduling downtime,” urged Mark Hernandez, CISO of a Fortune 500 firm and former DoD cyber advisor.

Delaying remediation could allow attackers to pivot inside networks, exfiltrate data, or deploy ransomware. The vulnerability affects all versions of PAN-OS prior to the forthcoming hotfix, which is expected within 48 hours.

Mitigation Steps for Immediate Action

• Identify vulnerable PA and VM appliances running PAN-OS without the patch.
• Restrict access to Captive Portal ports (default TCP 6082) at the network perimeter as a temporary workaround.
• Monitor logs for unusual HTTP requests targeting the Captive Portal endpoint.
• Apply the emergency hotfix as soon as it is released via Palo Alto’s support portal.

For a step-by-step guide, refer to our related article: How to Harden Your Palo Alto Captive Portal Configuration.

Additional resources: CVE-2026-0300 – Full Technical Analysis.

Related Articles

• Mac Users Targeted by Fake Google Ads Posing as Claude AI Download
• Harnessing Hamster Wheel Energy for Phone Charging: A DIY Guide
• Critical Active Exploit in cPanel, Medtronic Data Breach Headline This Week’s Cyber Threats
• 10 Critical Insights from GitHub's Swift Response to a Remote Code Execution Vulnerability
• UNC6692 Breach: Fake IT Helpdesk Exploits Microsoft Teams to Deploy Custom Malware Suite
• Navigating the End of Ubuntu 16.04 LTS Security Updates: Upgrade or Subscribe to Extended Support
• Beyond Cost Centers: Demonstrating the ROI of Cyber-Physical Security for OT Environments
• Critical Cisco SD-WAN Flaw Under Active Attack — Patch Immediately, Warns Security Team