Palo Alto Networks firewall zero-day exploited for nearly a month

Key Points:

• Palo Alto Networks has alerted customers about a critical zero-day vulnerability (CVE-2026-0300) in its PAN-OS firewall User-ID Authentication Portal, exploited by suspected state-sponsored hackers for nearly a month to gain root-level remote code execution.
• The attackers have used this exploit to deploy tunneling tools Earthworm and ReverseSocks5, enabling covert network communication and firewall/NAT bypass, with Earthworm previously linked to Chinese-speaking threat groups.
• Over 5,400 vulnerable PAN-OS VM-series firewalls are exposed online, primarily in Asia and North America, increasing the risk of exploitation until patches are released, expected starting May 13, 2026.
• Palo Alto Networks recommends restricting access to the User-ID Authentication Portal to trusted zones or disabling it entirely to mitigate risk, while the U.S. CISA has added the vulnerability to its Known Exploited Vulnerabilities Catalog and mandated federal agencies to secure systems by May 9.
• This incident reflects a growing trend of threat actors targeting edge network devices, which often have weaker security controls compared to endpoints.