Palo Alto Networks Warns of Firewall RCE Zero-Day Exploited in Attacks

Palo Alto Networks has issued an urgent security advisory warning customers that a critical-severity zero-day vulnerability in PAN-OS is being actively exploited in the wild. The flaw resides in the User-ID Authentication Portal component and enables unauthenticated remote code execution on affected next-generation firewalls, posing a severe risk to enterprise network infrastructure.

The company is urging all affected customers to apply available mitigations immediately while a full patch is developed and released.

What Is the Vulnerability?

The zero-day affects the User-ID Authentication Portal in PAN-OS, the operating system powering Palo Alto Networks' NGFW appliances. The authentication portal is a web-based interface that handles identity-based policy enforcement — it maps network IP addresses to user identities to enable role-based access controls.

The vulnerability allows a remote, unauthenticated attacker to send a specially crafted request to the portal interface and achieve remote code execution on the firewall operating system. Successful exploitation could allow an attacker to:

• Gain root-level access to the PAN-OS device
• Modify firewall rules and security policies
• Intercept, redirect, or drop network traffic
• Use the compromised firewall as a pivot point into internal networks
• Deploy persistent backdoors or malware on the device

Because next-generation firewalls sit at the network perimeter and often handle encrypted traffic inspection, a compromised device gives attackers extraordinary visibility and control over an organization's network traffic.

Affected Products

Palo Alto Networks has confirmed that devices with the Authentication Portal and User-ID features enabled are at highest risk. Organizations that have not enabled these features may have reduced exposure.

Active Exploitation Confirmed

Palo Alto's threat intelligence team confirmed that the vulnerability is being actively exploited by threat actors in targeted campaigns. While the company has not attributed the attacks to a specific group as of this writing, initial indicators suggest the exploitation predates the public advisory — meaning attackers likely had knowledge of the flaw before defenders.

The pattern is consistent with several prior Palo Alto zero-days: a small number of sophisticated actors exploit the vulnerability in targeted attacks before it reaches public awareness, triggering the vendor's emergency disclosure process once exploitation is detected at scale.

Notably, this follows a broader trend of threat actors — including nation-state groups — specifically targeting network security appliances as an initial access vector. Devices like firewalls and VPN gateways are attractive targets because:

1. They sit outside endpoint detection coverage
2. They run proprietary operating systems with limited security tooling
3. They have deep network access once compromised
4. Organizations often deprioritize patching of "trusted" network devices

Mitigations Available Now

Palo Alto Networks has released workarounds while the full patch is in development:

Option 1 — Disable the Authentication Portal (Recommended if not required): Organizations that do not require the Authentication Portal for policy enforcement should disable the feature immediately in their PAN-OS configuration.

Option 2 — Restrict access to the portal interface: If the Authentication Portal must remain enabled, restrict access to the management interface to known trusted IP addresses only. Do not expose the portal to untrusted networks or the public internet.

Option 3 — Apply Threat Prevention signatures: Customers with active Threat Prevention subscriptions should ensure the latest threat signatures are applied. Palo Alto has released signatures to detect exploitation attempts.

Option 4 — Enable Threat Prevention on management traffic: Apply Threat Prevention policies to traffic destined for the device management interfaces where possible.

Palo Alto Networks has stated that a permanent patch (PAN-OS update) is in active development and will be released on an expedited timeline. Customers should watch the official security advisory page for patch availability.

Context: A Pattern of PAN-OS Zero-Days

This disclosure continues a difficult stretch for Palo Alto Networks on the zero-day front. The company has faced several critical PAN-OS vulnerabilities over the past 18 months that were exploited before patches were available:

The frequency of exploited zero-days in PAN-OS has prompted CISA to add multiple Palo Alto vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog in recent cycles. Federal agencies and critical infrastructure operators face mandatory remediation timelines when entries are added to the KEV.

What Organizations Should Do

Immediate actions:

1. Audit exposure — Determine whether User-ID Authentication Portal is enabled and accessible from untrusted networks
2. Apply mitigations — Implement Palo Alto's recommended workarounds immediately; do not wait for the patch
3. Check for indicators of compromise — Review PAN-OS logs for unusual authentication attempts, unexpected configuration changes, or anomalous outbound connections from firewall management interfaces
4. Restrict management access — Ensure firewall management interfaces are not accessible from the internet (a baseline security control that should always be in place)
5. Monitor for patch release — Subscribe to Palo Alto security advisories and apply the patch immediately upon release

Indicators to investigate:

• Unexpected processes running on the PAN-OS device
• Configuration changes not initiated by known administrators
• Connections from firewall management IPs to external hosts
• Anomalous authentication events in the User-ID logs

References

• BleepingComputer — Palo Alto Networks Warns of Actively Exploited Firewall Zero-Day
• Palo Alto Networks Security Advisories
• CISA Known Exploited Vulnerabilities Catalog