Palo Alto Networks has issued a warning regarding active exploitation of a critical zero-day vulnerability, CVE-2026-0300, affecting the User-ID Authentication Portal on various PA-Series and VM-Series firewalls.

Key Points

• The vulnerability is a buffer overflow flaw allowing unauthenticated remote code execution with root privileges.
• Threat actor group CL-STA-1132 is actively exploiting the flaw to deploy tunneling tools like EarthWorm and ReverseSocks5.
• Attackers are using stolen credentials to enumerate Active Directory and systematically deleting logs to evade detection.
• Impacted products include specific versions of PAN-OS 10.2, 11.1, 11.2, and 12.1, with patches scheduled for release throughout May 2026.
• Risk is significantly mitigated by restricting access to the User-ID Authentication Portal to trusted internal IP addresses only.

Why it Matters

This exploit highlights the ongoing risk to edge infrastructure when critical management portals are exposed directly to the public internet. Organizations must prioritize network segmentation and access restrictions to prevent state-sponsored actors from establishing long-term, stealthy persistence within their internal environments.