Palo Alto Networks Firewall Exploited by Zero-Day Attackers for 4 Weeks
Palo Alto Networks Warns of Firewall Zero-Day Exploit After Month-Long Attack Campaign
Palo Alto Networks recently issued a warning to customers regarding a zero-day vulnerability in its firewall product, which had been exploited by attackers for almost a month. The vulnerability, tracked as CVE-2026-0300, is a remote code execution flaw located in the PAN-OS User-ID Authentication Portal component of the firewall.
Attack Details
The vulnerability was discovered after a series of successful attacks on PA-Series and VM-Series firewalls, which began on April 9, 2026. The attackers exploited the vulnerability to inject shellcode into the compromised devices, allowing them to:
- Clear crash kernel messages
- Delete crash core dump files
- Establish covert communication channels using the open-source Earthworm and ReverseSocks5 network tunneling tools
"The attackers were able to bypass security controls and gain unauthorized access to sensitive areas of the network," according to Palo Alto Networks.
Affected Systems and Recommended Actions
Internet threat watchdog Shadowserver reported that over 5,400 Palo Alto Networks VM-series firewalls remain exposed online, with the majority located in Asia and North America. To address this issue, Palo Alto Networks recommended that customers:
- Restrict access to the PAN-OS User-ID Authentication Portal
- Disable it altogether until security updates become available
Additionally, the US Cybersecurity and Infrastructure Security Agency (CISA) has added the CVE-2026-0300 zero-day to its Known Exploited Vulnerabilities (KEV) Catalog, requiring federal civilian executive branch agencies to take immediate action to secure vulnerable firewalls by May 9, 2026.
About Author
English