Palo Alto's third edge zero-day in two years rhymes with the first two
CISA's federal deadline for CVE-2026-0300 landed four days before a patch existed. The deadline is not the story. The third PAN-OS portal zero-day in under two years is.
The federal mandate said patch CVE-2026-0300 by May 9. The patch shipped May 13. For four days, every agency under the CISA order was bound to a deadline it physically could not meet, because the only thing Palo Alto had published was a workaround. The catalog math is hard to argue with: KEV listing on May 6, three-day deadline, first fixed builds on May 13. Agencies on day one had exactly one move, and it wasn’t patching.
The obvious read
Treated as a single event, this looks like a familiar bad week. An unauthenticated root RCE in a security appliance, scored 9.8 by NVD and 9.3 under Palo Alto’s CVSS v4.0 reading, exploited in the wild before the vendor said a word. CISA flags it, the press runs the “actively exploited firewall zero-day” headline, and the assignment lands on whoever owns the perimeter. Find the affected firewalls, apply the fix, close the ticket. The version table is long but the instruction is short.
That read is correct and it is also the least interesting thing about CVE-2026-0300. The version strings will change next quarter. What won’t change is the shape.
The pattern
This is the third major PAN-OS edge-surface zero-day exploited in the wild in under two years, and the three of them rhyme closely enough that you could mistake one advisory for another with the identifiers filed off.
CVE-2024-3400 (April 2024) was an unauthenticated command injection in the GlobalProtect portal, exploited before a patch existed, shipped with a Threat Prevention signature caveat and an initial “disable telemetry” mitigation that Palo Alto later walked back as ineffective. Seven months later, CVE-2024-0012 chained an authentication bypass on the management web interface with a privilege escalation. Same plot: unauthenticated entry on an internet-reachable surface, exploited ahead of the fix. Now CVE-2026-0300, an out-of-bounds write in the User-ID Authentication Portal, nginx worker running as root, code execution as root from the first packet.
Three different features. GlobalProtect, the management web interface, the Captive Portal. Three different bug classes. Command injection, auth bypass, buffer overflow. One constant: each lived on a web surface that PAN-OS exposes to untrusted networks by design, and each was found by an attacker before it was found by the vendor. The bug class keeps changing, which rules out “they just need to fix their input validation.” The exposed surface does not. That’s the tell. When the specific defect rotates but the attack surface holds steady, you’re not looking at a string of unlucky bugs. You’re looking at a category of exposure that keeps producing them.
And it isn’t only Palo Alto. The same plot has run at Ivanti Connect Secure, Fortinet SSL-VPN, and Citrix NetScaler. Edge security appliances have become a reliable source of pre-auth zero-days across the vendor field, which means the lesson generalizes past any one logo.
The evidence
The timeline on CVE-2026-0300 is the part worth sitting with, because it shows how little the patch cadence has to do with the exposure window.
Unit 42 documented portal probing as early as April 9, 2026 and confirmed root-level RCE by April 16, roughly three weeks before the May 6 advisory. The activity is attributed to a cluster Unit 42 tracks as CL-STA-1132, characterized as “likely state-sponsored” with no named country and no government attribution behind it. That hedge is worth preserving rather than rounding up; the public victim picture is only “limited,” with no count, sector, or geography disclosed. Post-exploitation was a quiet, anti-forensic operation built for persistence rather than smash-and-grab, which is its own argument for assuming a rooted box stays rooted after you patch it.
| Date | Event |
|---|---|
| Apr 9, 2026 | Portal probing observed |
| Apr 16, 2026 | Root RCE confirmed in the wild |
| May 6, 2026 | Palo Alto advisory + CISA KEV listing |
| May 9, 2026 | Federal patch-by deadline |
| May 13, 2026 | First fixed builds ship |
| May 28, 2026 | Second patch wave |
For an internet-facing portal, that’s an exposure window running from April 9 to whenever the May 13-or-later hotfix landed: more than five weeks, most of it before anyone defending the box knew there was a box to defend.
One detail keeps this from being “every Palo Alto firewall,” and it’s the same detail that decides your priority. The bug is only externally reachable when two configuration conditions both hold: the Authentication Portal is enabled, and an Interface Management Profile with Response Pages is applied to an L3 interface in an untrusted-facing zone. The portal is a non-default feature, most common in higher-ed, hospitality, and large enterprise LANs that need to map identity to guest and unmanaged devices. Where the portal is enabled but reachable only from trusted zones, Palo Alto drops the score to 8.7. Exposure here is a configuration fact, not a product fact.
A few things stay genuinely unconfirmed. No public proof-of-concept has surfaced in any source reviewed, though a capable actor clearly had a working exploit in April, so the absence of a PoC buys defenders very little. The May 9 KEV deadline is corroborated by The Hacker News and Arctic Wolf, but the raw CISA catalog page returned a 403 during research and could not be read directly. The CVSS split between v4.0 and v3.1 is a scoring-methodology artifact, not a disagreement between sources.
What this means for prioritization
If you own patch priority, the version table is the easy half. The configuration audit is the half that decides urgency, and it’s the half a generic “critical PAN-OS RCE” alert won’t do for you.
Run the three-question check before you rank this against everything else competing for the change window. Is the firewall a PA-Series or VM-Series box on an affected train (Panorama, Cloud NGFW, and Prisma Access are not impacted)? Is the Authentication Portal enabled? Are Response Pages live on an external-facing L3 interface? Three yeses is a critical, exposed, internet-reachable root RCE, and it jumps the queue. A yes on the train but a no on the portal config is a real fix you can schedule into a normal window rather than a fire drill. That distinction is the entire prioritization decision, and it lives in your config, not in the CVSS number.
Two operational notes shape the sequence. The signature backstop is uneven: the Threat Prevention coverage exists only on PAN-OS 11.1 and up, so 10.2 customers have no detection cushion while they stage the upgrade and should weight the workaround harder. And if the portal was internet-reachable during the April-to-May window, patching is necessary but not sufficient. The observed tradecraft included tunnels and planted credentials that survive an update, so an exposed box gets a compromise assessment, not just a version bump. Unit 42 published the IOCs for that work.
The shops that come out of this calmly are the ones who already had a deny-from-internet-by-default policy on their management and portal surfaces. They bought themselves days. The shops racing the clock are the ones who treated the firewall’s own web surfaces as trusted infrastructure rather than as attack surface every bit as exposed as the assets behind them.
What to watch
The pattern predicts the next one. If a fourth PAN-OS pre-auth zero-day lands on another internet-reachable web feature within the next year, “unlucky bug” stops being a defensible reading and “this surface needs to not face the internet” becomes the only one left. Worth tracking too: whether the May 28 second wave actually covered every sustaining 10.2 branch, since the dossier couldn’t confirm full coverage and the advisory table is the place to check.
The reframe is simple. Stop treating these as firewall bugs and start treating the firewall’s own portals and consoles as internet-facing applications, because that’s what they are and that’s how they keep getting popped. The CVE number changes every few months. The exposed surface is the thing to fix once.
That’s the read we bring to every edge-appliance advisory in PatchDay Alert: not just the score and the fixed build, but the configuration that decides whether it’s your emergency or someone else’s, and where today’s bug sits in the pattern.
Sources
- Known Exploited Vulnerabilities Catalog — 2026-05-06
- Palo Alto PAN-OS Flaw Under Active Exploitation — 2026-05-06
- CVE-2026-0300 — NVD — 2026-05
- CVE-2026-0300 advisory — 2026-05-06
- CVE-2024-3400 advisory — 2024-04
- CVE-2024-0012 — NVD — 2024-11
- Threat Brief: PAN-OS Captive Portal Zero-Day — 2026-05
- ETR: Critical Buffer Overflow in PAN-OS User-ID Authentication Portal — 2026-05
- CVE-2026-0300 — Critical Buffer Overflow in PAN-OS — 2026-05-07
Share
Related field notes
-
Three root shells in seven months. All from the same firewall.
CVE-2024-3400, CVE-2024-0012, and CVE-2024-9474 gave attackers unauthenticated root on Palo Alto firewalls twice in 2024. The pattern isn't bad luck. It's the architecture.
-
The researcher who reported two Windows bugs to Microsoft was exploiting a third
CVE-2025-26633 turns MMC's localization feature into a code execution vector. EncryptHub exploited it as a zero-day while simultaneously disclosing other vulnerabilities to Microsoft for credit.
-
Broadcom turned an ESXi zero-day into a patch-access crisis
CVE-2025-22225 was exploited for over a year before Broadcom patched it. Then perpetual license holders couldn't download the fix.
Get the free CVE triage cheat sheet
Subscribe and we'll email you the one-page triage flow for fresh CVEs. Plus the weekday digest.
Subscribe