THREAT LEVEL - HIGH
08-05-2026
High Level – New PAN-OS software Zero-Day Actively Exploited in the Wild
Threat Level Description
IthacaLabs has maintained the Threat Level (High) adding a new observation:
An attack is highly likely. Addressing the broad nature of the threat in order to reach an acceptable risk level, requires additional and sustainable protective security measures combined with specific business and geographical vulnerabilities and judgments.
Description
We have observed a new critical-severity zero–day vulnerability in Palo Alto Networks PAN-OS software that is actively exploited in the wild.
The vulnerability, tracked as CVE-2026-0300, is a critical buffer overflow in the User-ID Authentication Portal that allows remote attackers to execute arbitrary code with root privileges on the affected firewall, potentially resulting in complete system compromise. The flaw is especially severe because it can be exploited without valid credentials when the portal is exposed to the internet.
Our Advisory and Managed Services, including our Security Operations and Technology Resilience lines, can help safeguard your organization against such threats.
Through proactive monitoring, threat detection, and incident response, our services are designed to keep your systems secure, resilient, and prepared for evolving cyber risks. We advise all organizations to remain vigilant and regularly review their cybersecurity postures..
Affected Products:
-
PAN-OS 10.2 (All versions)
-
PAN-OS 11.0 (All versions)
-
PAN-OS 11.1 (All versions)
Note: Only devices with the User-ID Authentication Portal enabled are at risk.
Recommendation(s)
You should apply all vendor-provided security patches immediately to mitigate the risks posed by these vulnerabilities.
Where patches are not yet available or cannot be applied right away, you should implement workarounds without delay to protect your environment.
-
Restrict access to the User-ID Authentication Portal to only trusted internal network zones.
-
Disable the User-ID Authentication Portal entirely if it is not a required business function.
-
If the portal must remain internet-facing, ensure strict IP-based Access Control Lists (ACLs) are enforced.
-
Apply available Threat Prevention signatures designed to detect buffer overflow patterns targeting PAN-OS management interfaces.
-
Monitor system logs for unusual administrative logins, unauthorized configuration changes, or unexpected outbound traffic from management interfaces.
-
Conduct threat hunting on firewall management logs to identify potential indicators of compromise from prior exploitation attempts.
You should understand the importance of applying security updates with urgency, regardless of organizational size. Implementing an effective patch management strategy, enabling comprehensive event logging, and actively monitoring security events are critical to protecting business-critical assets. A comprehensive risk management approach should include regular penetration testing, at least annually and after significant system changes, to ensure continued compliance with security best practices and industry regulations.
Threat Level Description:
Threat Level: High – An attack is highly likely. Addressing the broad nature of the threat in order to reach an acceptable risk level, requires additional and sustainable protective security measures combined with specific business and geographical vulnerabilities and judgments.
References:
Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution
