Palo Alto Firewalls Under Attack Since April 9

Palo Alto Networks says suspected state-sponsored threat actors have been exploiting a critical PAN-OS firewall zero-day vulnerability since April 9, according to BleepingComputer.

The bug, tracked as CVE-2026-0300, is a buffer overflow in the PAN-OS User-ID Authentication Portal (also known as the Captive Portal). It can allow unauthenticated remote code execution with root privileges on internet-exposed PA-Series and VM-Series firewalls.

What researchers observed

Palo Alto Networks said exploitation attempts began on April 9, 2026, with attackers successfully achieving remote code execution about a week later. Asourceser compromising a device, the intruders attempted to reduce the chance of detection by clearing crash kernel messages and removing crash core dump files.

Asourceser compromising affected devices, attackers deployed the open-source tunneling tools Earthworm and ReverseSocks5 to establish covert communications and proxy connections. BleepingComputer noted that Earthworm has previously been used in attacks linked to multiple Chinese-speaking threat groups.

Exposure and patch timeline

Internet monitoring group Shadowserver is tracking more than 5,400 exposed PAN-OS VM-series firewalls, with most located in Asia and North America.

Palo Alto Networks said Cloud NGFW and Panorama appliances are not impacted. The company said it is working on patches, with the first updates expected to roll out starting May 13.

Mitigations and government directive

Until patches are available, Palo Alto Networks advised customers to restrict access to the User-ID Authentication Portal to trusted zones, or disable the portal where possible.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2026-0300 to its Known Exploited Vulnerabilities (KEV) Catalog and ordered Federal Civilian Executive Branch (FCEB) agencies to secure affected systems by May 9.