PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage

Palo Alto Networks confirmed that threat actors actively exploited CVE-2026-0300, a critical remote code execution vulnerability in PAN-OS, to gain root-level access to affected firewalls. The buffer overflow flaw resides in the User-ID Authentication Portal service and carries a CVSS score of 9.3, allowing unauthenticated attackers to execute arbitrary code without credentials.

Evidence indicates exploitation attempts began as early as April 9, 2026. The vulnerability enables attackers to bypass authentication entirely, execute commands with system-level privileges, and maintain persistent access for espionage operations. Organizations running vulnerable PAN-OS versions face immediate risk of full firewall compromise, which serves as the network perimeter's first line of defense.

The threat landscape amplifies because exploitation requires no user interaction and no valid credentials. Attackers can target PAN-OS instances directly from the internet if the User-ID Authentication Portal remains exposed. Once inside, threat actors gain visibility into encrypted network traffic, can redirect traffic for interception, and can pivot deeper into internal networks.

Palo Alto Networks has released patches for affected versions. Organizations must identify all PAN-OS deployments, verify current versions against the vulnerability advisory, and apply security updates immediately. Network administrators should also review firewall logs from April 2026 onward for suspicious authentication portal access patterns, command execution attempts, and unusual administrative activities.

The exploitation window appears to have closed partially after public disclosure, but unpatched instances remain vulnerable. Organizations that delayed patching face active adversary interest. This vulnerability represents a crown-jewel target for both financially motivated actors and nation-state threat groups seeking network access and persistent surveillance capabilities.

Immediate action is non-negotiable. Delay invites breach.

THE BOTTOM LINE: Threat actors actively exploited this critical PAN-OS flaw for root access