Palo Alto Networks has disclosed an actively exploited zero-day vulnerability in its PAN-OS operating system, tracked as CVE-2026-0300, affecting the Captive Portal service on PA-Series and VM-Series firewalls. The company confirmed that the flaw has been observed in targeted attacks against customer environments and is working to release an emergency patch.
This disclosure marks another high-profile zero-day in Palo Alto's firewall product line — a platform widely deployed as the network perimeter for enterprise organizations and government agencies. PAN-OS zero-days have historically attracted nation-state threat actors seeking persistent access to sensitive networks.
What Is CVE-2026-0300?
CVE-2026-0300 affects the Captive Portal component of PAN-OS, a feature used to authenticate guest or remote users before granting network access. According to Palo Alto Networks' security advisory, the vulnerability allows attackers to exploit a flaw in how the Captive Portal service processes certain requests, enabling unauthorized access to or manipulation of affected firewall devices.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-0300 |
| Affected Product | PAN-OS — PA-Series and VM-Series Firewalls |
| Vulnerable Component | Captive Portal service |
| Exploitation Status | Actively exploited in the wild |
| Patch Status | Emergency patch in development |
| Disclosure Source | Palo Alto Networks Security Advisory |
Specific CVSS scoring and full technical details are expected to be published alongside the patch release. In their advisory, Palo Alto Networks characterized the severity as significant enough to warrant emergency handling.
Active Exploitation Confirmed
Palo Alto Networks confirmed that CVE-2026-0300 has been observed in active exploitation targeting real customer environments prior to the patch being available. This makes it a true zero-day in the classic definition: a vulnerability being actively exploited before the vendor has issued a fix.
The company has not yet publicly attributed the attacks to a specific threat actor group, but the targeting pattern of exploiting PAN-OS appliances is consistent with advanced persistent threat (APT) groups and nation-state actors that have previously prioritized Palo Alto Networks devices for initial access into high-value networks.
PAN-OS Zero-Days: A Recurring Target
This is not an isolated incident. PAN-OS appliances have been a persistent target for sophisticated threat actors:
- CVE-2024-3400 (April 2024): A CVSS 10.0 command injection in GlobalProtect exploited by the Midnight Eclipse espionage group to deploy Python backdoors across thousands of firewalls globally
- CVE-2025-0108 (2025): An authentication bypass in PAN-OS management interface exploited in targeted campaigns
- CVE-2026-0778 (February 2026): A GlobalProtect RCE flaw exploited against government and critical infrastructure targets
The Captive Portal service represents a new attack surface distinct from the GlobalProtect and management interface flaws exploited in prior campaigns, suggesting threat actors are systematically mapping the full attack surface of PAN-OS.
Who Is Affected?
The vulnerability affects organizations running PAN-OS on PA-Series and VM-Series firewalls with the Captive Portal feature enabled. Captive Portal is commonly deployed in:
- Enterprise guest Wi-Fi networks — authenticating wireless visitors before granting internet access
- Higher education — campus network guest portals
- Healthcare — patient and visitor network access control
- Hospitality — hotel and venue guest networks
Organizations that have disabled Captive Portal on their PAN-OS deployments are not exposed through this specific attack vector, though the full scope of the vulnerability may include additional impact paths not yet publicly disclosed.
Immediate Mitigations While Patch Is Pending
Palo Alto Networks recommends the following immediate actions while the emergency patch is being finalized:
1. Disable Captive Portal (If Not Required)
If your organization does not actively use Captive Portal for network access control, disable the feature immediately:
- Log into the Palo Alto Networks PAN-OS management interface
- Navigate to Network > Network Profiles > Interface Management Profile
- Disable Captive Portal on affected interfaces
- Commit the configuration change
2. Restrict Management Interface Access
Limit access to the PAN-OS management interface to trusted IP ranges only — reducing the attack surface even if Captive Portal cannot be disabled:
# In PAN-OS: Device > Setup > Interfaces > Management
# Set "Permitted IP Addresses" to known management subnets only
3. Enable Threat Prevention Signatures
Palo Alto Networks has released threat prevention signatures for PAN-OS customers with active Threat Prevention subscriptions. Apply the latest content updates:
# In PAN-OS: Device > Dynamic Updates
# Download and install the latest Applications and Threats content
Check Palo Alto Networks' Threat Prevention advisories for the specific signature IDs related to CVE-2026-0300.
4. Monitor for Indicators of Compromise
Review firewall logs for anomalous activity related to Captive Portal sessions:
- Unusual authentication patterns on Captive Portal interfaces
- Unexpected outbound connections from the firewall management plane
- Configuration changes not initiated by known administrators
- Session table anomalies around Captive Portal user mappings
When to Expect the Patch
Palo Alto Networks has committed to an emergency patch release and is expected to publish a detailed security advisory with full CVSS scores, affected version ranges, and patched release versions in the coming days. Organizations should:
- Subscribe to Palo Alto Networks Security Advisories at security.paloaltonetworks.com for immediate notification when the patch drops
- Plan for emergency change window — given active exploitation, the patch should be applied as an emergency fix, not in the standard monthly maintenance cycle
- Stage the patch in test environments but do not delay production deployment waiting for extended testing given the active threat
Broader Context: Firewall Appliances as High-Value Targets
The exploitation of CVE-2026-0300 fits a well-established pattern of nation-state actors prioritizing network perimeter appliances as entry points into sensitive environments. Unlike endpoint attacks that require user interaction or phishing delivery, exploiting firewall vulnerabilities provides:
- Direct network access to the internal environment without traversing endpoint defenses
- Persistent implant opportunity on always-on, rarely-rebooted appliances
- Privileged visibility into all network traffic passing through the device
- Difficulty of detection — security teams often have limited visibility into the security appliance itself
CISA's Known Exploited Vulnerabilities (KEV) catalog consistently includes network perimeter device zero-days from Palo Alto Networks, Ivanti, Fortinet, and Cisco — all of which have been actively targeted by APT groups in recent years.