Palo Alto Zero-Day Gives State-Backed Hackers Root Access Before Patch

Palo Alto Zero-Day Gives State-Backed Hackers Root Access Before Patch

A critical PAN-OS flaw is already being used by state-backed hackers before Palo Alto Networks has shipped a fix, The Register reported. The vulnerability, tracked as CVE-2026-0300, lets attackers remotely run code as root on exposed PA-Series and VM-Series firewalls when the affected Captive Portal feature is reachable from the internet.

The Register said Palo Alto assigned the bug a 9.3 CVSS severity score and tied it to memory corruption in the User-ID Authentication Portal, which handles logins for users the firewall cannot automatically identify. According to the same report, Palo Alto’s Unit 42 threat team linked the exploitation to likely state-sponsored activity tracked as CL-STA-1132, a designation that signals a coordinated campaign rather than casual scanning.

The attack chain matters because these devices often sit at the edge of corporate networks, where a firewall compromise can become an entry point into everything behind it. The Register reported that the attackers injected shellcode into an nginx worker process, achieved remote code execution around mid-April after earlier failed attempts on April 9, then deleted logs and crash reports tied to the compromise. The attackers later used the access to probe deeper into victim environments, including Active Directory systems, while continuing to remove traces.

The campaign also escalated on April 29, when the attackers generated enough authentication traffic to push a secondary firewall into internet-facing service, then compromised that device too, The Register reported. The U.S. Cybersecurity and Infrastructure Security Agency has already added the flaw to its Known Exploited Vulnerabilities catalog, according to the report, but customers still have no patch to apply. That makes the advisory unusually awkward for security teams: the issue is public, active exploitation is confirmed, and the normal answer is not yet available.

The warning lands after a string of high-profile attacks on security appliances, which have become favored targets because they are trusted, exposed, and frequently connected to sensitive management networks. The Register noted that Palo Alto firewalls have faced repeated attention from attackers over the past two years, a pattern that mirrors broader pressure on VPNs, firewalls, and remote access systems across the industry.

Until Palo Alto releases a fix, the practical defense is narrower exposure rather than normal patch management. The Register said Palo Alto is urging customers to restrict the User-ID Authentication Portal to trusted networks or disable it entirely, a blunt workaround for a bug that turns perimeter firewalls into a direct path toward internal systems.

Photo by Albert Stoynov on Unsplash