Palo Alto Networks has confirmed that a maximum-severity flaw in its PAN-OS firewall software is being exploited in the wild. Tracked as CVE-2026-0300, the bug carries a CVSS score of 9.3 and lets an unauthenticated attacker run code with root privileges on PA-Series and VM-Series firewalls by sending crafted packets to the User-ID Authentication Portal (the “Captive Portal”), as reported by The Hacker News. The flaw has already been added to CISA’s Known Exploited Vulnerabilities catalogue.

Here’s why this one matters: your firewall is the front door to your whole network. If an attacker gets root on it, they don’t just slip past your defences — they are your defences. The good news is the risk is concentrated. Only PA-Series and VM-Series firewalls with the User-ID Authentication Portal exposed to the internet are in the firing line, and Cloud NGFW and Panorama aren’t affected. But plenty of Australian SMBs run exactly this setup without realising the portal is publicly reachable.

What to do, in order. Patch now — Palo Alto began shipping fixed PAN-OS builds on 13 May, so updates are available for every supported release. If you genuinely can’t patch today, restrict the Authentication Portal to trusted internal IP ranges or disable it entirely until you can. Then check your firewall logs for logins from unfamiliar IP addresses. If you’re not sure whether your firewall is even exposed, that’s the question to put to your IT provider this week.

Not sure where you stand? Our team can check whether your firewall and management interfaces are exposed as part of a network assessment — get in touch.