Palo Alto Networks Confirms Zero-Day Exploit in Firewall Software

Palo Alto Networks has disclosed that attackers are actively exploiting a zero-day vulnerability in its firewall software. The flaw, tracked as CVE-2026-0300, resides in the Captive Portal service of PAN-OS and affects both PA-Series hardware appliances and VM-Series virtual firewalls.

The Captive Portal feature is commonly used to authenticate users on guest networks before granting broader network access. Exploitation of this vulnerability allows attackers to compromise firewall devices that form the perimeter defense of corporate and government networks. The company has confirmed active exploitation but has not yet released technical details about the attack vector or the scope of compromised systems.

Palo Alto Networks has announced that a patch is forthcoming but has not provided a specific release date. Organizations running affected firewall models should monitor vendor advisories closely and prepare to deploy updates immediately upon release. In the interim, disabling the Captive Portal service where not operationally necessary may reduce exposure, though this mitigation may not be feasible for all deployments.

• 01Enterprises using PA or VM series firewalls face immediate risk of perimeter compromise.
• 02Security teams must prepare rapid patch deployment and audit firewall configurations for signs of exploitation.
• 03Organizations may need to disable Captive Portal services temporarily, affecting guest network operations.
• 04Incident response teams should review firewall logs for indicators of unauthorized access or configuration tampering.