Federal agencies have until Friday, May 9, 2026, to shut down a firewall feature that attackers are already using to seize full control of Palo Alto Networks devices. The problem: the company’s own patch is not expected for days after that deadline, leaving thousands of organizations to fend for themselves with manual workarounds while a confirmed zero-day remains wide open.
The vulnerability, tracked as CVE-2026-0300, is a buffer overflow in PAN-OS, the operating system that runs Palo Alto Networks’ firewall appliances. It affects the User-ID Authentication Portal and Captive Portal features, and it lets a remote attacker execute code with root privileges without needing any credentials at all. In practical terms, anyone who can reach the portal over the network can own the firewall.
What the government advisories confirm
Two independent government-affiliated sources have validated the threat. The CERT-EU security advisory confirms the technical nature of the flaw, rates it as critical, and states that “limited exploitation” has already been observed in the wild. It does not name the targeted sectors or regions.
Separately, CISA added CVE-2026-0300 to its Known Exploited Vulnerabilities (KEV) catalog on May 6, 2026, according to the National Vulnerability Database record. That listing triggers a binding remediation deadline for civilian executive-branch agencies: May 9, just three days later. The required action is not a patch (none exists) but a workaround: restrict or disable the User-ID Authentication Portal entirely.
A three-day window is unusually aggressive, even by CISA’s standards. It signals that the agency views the combination of unauthenticated access, root-level execution, and confirmed in-the-wild exploitation as an immediate, not theoretical, danger.
The patch gap that forces hard choices
The central tension for defenders is timing. CERT-EU’s advisory acknowledged that no vendor patches were available at the time of publication and recommended applying fixes “as soon as they are released.” The NVD record echoes that framing, describing current remediation as workarounds pending vendor updates. A May 13 patch date has circulated among security teams, but as of this writing, Palo Alto Networks has not published a formal advisory confirming that timeline. The company did not respond to a request for comment.
That leaves organizations in a bind. Disabling the User-ID Authentication Portal is the safest move, but it is not painless. The portal maps network traffic to individual user identities, feeding data into firewall policy enforcement. Shutting it down can break single sign-on workflows, degrade visibility into who is doing what on the network, and force security teams to rearchitect access controls on short notice. For enterprises that rely on identity-based segmentation, the workaround trades one category of risk for another.
The Captive Portal, which handles guest and BYOD authentication, carries the same exposure. Disabling it may strand guest users or push administrators toward temporary open-network configurations that introduce their own security gaps.
Some teams will try to split the difference by restricting portal access rather than killing it outright: limiting exposure to internal networks, enforcing strict IP allowlists, or placing portals behind VPN tunnels. Those steps shrink the attack surface but do not eliminate it. Any reachable instance of the vulnerable feature remains exploitable, and in environments with complex routing and overlapping trust zones, proving true isolation is harder than it sounds.
What we still do not know
Several gaps in the public record make threat modeling difficult. Neither CERT-EU nor the NVD entry specifies which PAN-OS versions carry the flaw. Without a vendor advisory listing affected releases and hardware platforms, administrators cannot confidently determine which devices in their fleet need the workaround and which might already be safe.
The scope of exploitation is equally murky. “Limited” is the only descriptor CERT-EU offers. No public source has identified the attackers, their objectives, or whether the activity looks like opportunistic scanning or targeted, state-sponsored intrusion. No threat intelligence firms, including those that have historically been first to publish on PAN-OS exploitation (Volexity played that role during the CVE-2024-3400 zero-day in April 2024), have released public indicators of compromise for this vulnerability as of early May 2026.
The CVE-2024-3400 comparison is worth noting. That flaw, also a pre-authentication remote code execution bug in PAN-OS, was exploited by a suspected state-backed group for weeks before a patch shipped. It ultimately affected an estimated 82,000 internet-facing devices, according to the Shadowserver Foundation’s scans at the time. Whether CVE-2026-0300 has a similarly broad exposure footprint is unknown; no public Shodan or Censys analysis has surfaced yet.
Palo Alto Networks’ silence is itself a data point. The absence of a formal security bulletin with affected version matrices, indicators of compromise, and a confirmed patch schedule suggests the company is still developing its response, or that its advisory has not yet been indexed by the databases defenders rely on. Either way, organizations are currently planning around government advisories and inference rather than vendor guidance.
What defenders should do right now
With no fix available, the playbook comes down to three priorities: reduce exposure, sharpen monitoring, and prepare for rapid patching the moment updates arrive.
Reduce exposure. Identify every instance of the User-ID Authentication Portal and Captive Portal across the environment. For any portal reachable from the internet or from lower-trust network segments, full shutdown is the most defensible option. If business requirements make that impossible, restrict access to the narrowest possible set of source IPs and place the portal behind VPN or zero-trust access controls.
Sharpen monitoring. Assume exploitation attempts are already underway. Even without vendor-provided indicators, defenders can watch for unusual access patterns on portal endpoints, unexpected configuration changes on firewalls, anomalous processes running on PAN-OS devices, and new outbound connections originating from the appliances themselves. Any of those signals warrants immediate investigation.
Prepare for rapid patching. Document every temporary workaround so changes can be reversed cleanly when fixes ship. Stage maintenance windows, test update procedures in lab environments where possible, and verify that backup and rollback mechanisms are solid. Organizations that have already mapped their exposure and stabilized interim controls will move fastest when the vendor finally delivers.
Why the patch gap around CVE-2026-0300 matters more than usual
Firewall zero-days are not new, and Palo Alto Networks has weathered them before. But CVE-2026-0300 arrives at a moment when network perimeter devices are under sustained, organized attack. CISA has spent the past two years warning that edge appliances (firewalls, VPN gateways, and load balancers) are the preferred entry point for sophisticated threat actors precisely because they sit outside the reach of endpoint detection tools.
The patch gap makes this instance sharper than most. A binding federal deadline that expires before the vendor can deliver a fix is an unusual and uncomfortable situation, one that underscores how much defensive planning still depends on vendor responsiveness. Until Palo Alto Networks publishes its advisory and ships updates, every exposed portal should be treated as a potential foothold, and the short-term disruption of shutting it down is a price worth paying.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
