Palo Alto Networks Warns of Actively Exploited Critical PAN-OS Vulnerability Enabling Remote Code Execution

Palo Alto Networks has issued an emergency advisory warning of a critical buffer overflow flaw in its PAN-OS firewall operating system that threat actors are actively exploiting in the wild. The vulnerability, tracked as CVE-2026-0300, allows unauthenticated remote code execution and carries a CVSS score of 9.3, placing it firmly in critical territory. The exposure is most acute for organizations that have configured the User-ID Authentication Portal to permit access from the internet, dramatically expanding the attack surface available to adversaries.

Security researchers have confirmed that exploitation in real-world environments is underway, suggesting that the vulnerability has moved beyond theoretical proof-of-concept into active campaigns. The buffer overflow condition in PAN-OS permits an unauthenticated attacker to overflow a buffer and execute arbitrary code at root level, effectively granting full system compromise. Palo Alto Networks has released patches addressing the flaw, and organizations running affected PAN-OS versions are urged to update immediately, particularly those with management interfaces or authentication portals exposed to external networks.

The active exploitation of this vulnerability signals heightened risk for enterprise networks relying on Palo Alto firewall infrastructure for perimeter defense. Threat actors who achieve remote code execution at root level on a firewall effectively gain the ability to intercept, modify, or blacklist network traffic traversing that checkpoint. Security teams should audit their PAN-OS deployments for internet-facing management or User-ID components, apply available patches without delay, and monitor for indicators of compromise associated with this flaw.