Enterprise security teams are entering the final 24 hours of a critical unpatched exposure period for perimeter firewalls. Official software updates are scheduled for release tomorrow to address a root-level buffer overflow that has been under active exploitation for over a month.
Tracked as CVE-2026-0300, the flaw impacts the User-ID Authentication Portal in PAN-OS. Unauthenticated remote attackers can execute arbitrary code with root privileges by sending crafted packets to the portal service. @[Palo Alto Networks](urn:li:organization:15502) has maintained that the risk is greatly reduced if access to the portal is restricted to trusted internal IP addresses, a mitigation that remains mandatory until the patches are verified and applied.
Firewall vulnerabilities are high-priority targets because they lack the standard endpoint logging present on servers and workstations. A successful exploit grants persistent, high-privileged access to the network edge, enabling the adversary to intercept traffic and facilitate lateral movement without triggering traditional security alerts.
– Verify that all PA-Series and VM-Series firewalls have the User-ID Authentication Portal restricted to trusted zones.
– Establish an emergency patching window for May 13 to apply the incoming PAN-OS security updates.
– Monitor for anomalous inbound traffic patterns on the ports associated with the Authentication Portal service.
– Audit administrative logs for any unauthorized configuration changes that may have occurred during the zero-day exposure window.
The release of a patch for a root-level perimeter zero-day requires an immediate, fleet-wide remediation to close the adversary’s window of opportunity. #CodeDefence #PaloAltoNetworks #PANOS #ZeroDay #PerimeterSecurity
/
