PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage

Palo Alto Networks has disclosed that threat actors may have attempted to unsuccessfully exploit a recently disclosed critical security flaw as early as April 9, 2026.

The vulnerability in question is CVE-2026-0300 (CVSS score: 9.3/8.7), a buffer overflow vulnerability in the User-ID Authentication Portal service of Palo Alto Networks PAN-OS software that could allow an unauthenticated attacker to execute arbitrary code with root privileges by sending specially crafted packets.

While fixes are expected to be released starting May 13, 2026, customers are advised to secure access to the PAN-OS User-ID Authentication Portal by restricting access to trusted zones, or by disabling it entirely if it's not used.

As additional mitigation, the company is recommending that organizations disable Response Pages in the Interface Management Profile for any L3 interface where untrusted or internet traffic can ingress. Customers with Advanced Threat Prevention can also block exploitation attempts by enabling Threat ID 510019 from Applications and Threats content version 9097-10022.

In an advisory issued Wednesday, the network security company said it's aware of limited exploitation of the flaw. It's tracking the activity under the CL-STA-1132, a suspected state-sponsored threat cluster of unknown provenance.

PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage

Other newsrooms on this story

Related reading

Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution

CVSS vulnerability triage: 5 failures, 5 fixes

State-backed hackers hammer Palo Alto firewall zero-day before patch lands

Cisco warns of new critical SD-WAN flaw exploited in zero-day attacks

'Dirty Frag' Linux flaw one-ups CopyFail with no patches and public root exploit

Critical cPanel exploited: 'Millions' of sites could be hit