Organizations have until midnight tonight to meet the federal remediation deadline for a critical zero-day vulnerability in perimeter security infrastructure. This flaw allows unauthenticated remote attackers to execute code with root privileges, effectively seizing control of the firewall operating system.
Tracked as CVE-2026-0300, the vulnerability resides in the PAN-OS User-ID Authentication Portal. Because official patches from @[Palo Alto Networks](urn:li:organization:15502) are not expected until May 13, @[CISA](urn:li:organization:13010360) has mandated immediate defensive actions. Threat actors have been observed abusing this bug in real-world attacks since at least early April, specifically targeting appliances where the Captive Portal is enabled for guest access or identity-based policy enforcement.
When a perimeter gateway is vulnerable to root-level RCE, the adversary can bypass all internal security controls and silence telemetry. This makes the firewall a stable pivot point for lateral movement and large-scale data exfiltration that remains invisible to standard endpoint protection tools.
– Immediately restrict access to the User-ID Authentication Portal to trusted internal IP ranges or disable the service entirely if not strictly required for business operations.
– Monitor for anomalous inbound traffic on ports 6081 and 6082, which are associated with the vulnerable portal service.
– Conduct a forensic audit of PAN-OS logs for unauthorized administrative activity or unexpected system-level changes dating back to April 9.
– Ensure all PA-Series and VM-Series firewalls are prepared for immediate patching as soon as the May 13 security updates are released.
The compromise of the perimeter gateway is a total-loss event for network integrity; immediate architectural isolation is the only reliable defense before patches arrive. #CodeDefence #PaloAltoNetworks #PANOS #CISA #KEV
/
