CVE-2026-0300 in Palo Alto Networks PAN-OS: Actively Exploited Zero-Day RCE Added to CISA KEV

📅 May 07, 2026 🔴 Exploit Risk: 0.200 📊 Intelligence Score: 68/100 📰 3 sources synthesized

TL;DR — Read this first

An unauthenticated Remote Code Execution (RCE) zero-day vulnerability, CVE-2026-0300, affects Palo Alto Networks PAN-OS firewalls.
CONFIRMED: The vulnerability is under active exploitation in the wild and has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog.
Immediate action required: Patch all affected PAN-OS instances immediately. This is the highest priority due to confirmed exploitation.

Intelligence Metadata

First Reported Bythehackernews.com

Outbreak Velocity999 minutes spread to 3 domains

Consensus3 sources across 3 unique domains

CVSS ScoreNot available

EPSS ScoreNot available

CISA KEV StatusConfirmed

Exploit Risk Score0.200

Race LabelZERO-DAY RACE

Technical Analysis

CVE-2026-0300 is an unauthenticated remote code execution vulnerability in the Captive Portal component of Palo Alto Networks PAN-OS. The attack vector allows a remote, unauthenticated attacker to execute arbitrary code on the firewall appliance. This suggests a flaw in the handling of web requests to the Captive Portal interface, enabling an attacker to bypass authentication and gain control over the underlying operating system.

The preconditions for exploitation are an exposed PAN-OS management interface with the Captive Portal feature enabled. As a network security appliance, a compromise of this nature provides an attacker with a critical ingress point to the protected network, facilitating lateral movement and further attacks. The vendor's own threat intelligence unit, Unit42, has confirmed the exploitation, lending high confidence to the technical details and severity of the threat.

Affected Systems

Vendor: Palo Alto Networks

Affected Versions:

PAN-OS

Exposure: Publicly facing firewalls with the Captive Portal feature enabled.

Blast Radius: High. Successful exploitation results in a complete compromise of the network security appliance, providing a pivot point for ingress into the internal network.

Intelligence Context

The most critical intelligence signal for CVE-2026-0300 is its addition to the CISA KEV catalog on 2026-05-06. This status, indicating confirmed active exploitation, overrides the absence of CVSS and EPSS scores and mandates immediate action for federal agencies. For all other organizations, the KEV listing serves as the strongest possible prioritization signal. The 'ZERO-DAY RACE' label accurately reflects that attackers were exploiting this vulnerability before a patch was available. The consensus across security journalism and the vendor's own advisory confirms the threat is real and ongoing. Defenders must treat this as their highest patching priority.

Remediation & Defense

Patch immediately. This is a CISA KEV-listed, actively exploited, unauthenticated RCE zero-day. Investigate exposed systems for signs of compromise.

Patch Status: Available

Patch Version: Refer to the Palo Alto Networks security advisory for specific patched versions and mitigation guidance.

Workarounds:

If patching is not immediately possible, consider disabling the Captive Portal feature on internet-facing interfaces as a temporary mitigation. Verify this workaround with the official vendor advisory.

Detection Hints:

Monitor firewall logs for unusual or malformed requests to the Captive Portal URL.
Review network traffic for unexpected outbound connections originating from the firewall's management interface.

Source Timeline

thehackernews.com — First reporter
bleepingcomputer.com — Corroboration
unit42.paloaltonetworks.com — Vendor confirmation
cisa.gov — KEV catalog entry

CVE-2026-0300 Palo Alto Networks PAN-OS RCE zero-day kev exploit_wild