Palo Alto Networks has confirmed active exploitation of a critical zero-day in its PAN-OS firewall software. CVE-2026-0300 is an unauthenticated buffer overflow in the User-ID Authentication Portal (the old Captive Portal) that lets an attacker run arbitrary code as root on PA-Series and VM-Series firewalls — no credentials, no user interaction, just specially crafted packets. The vendor’s PAN-OS advisory rates it CRITICAL with a CVSS 4.0 score of 9.3 and lists exploit maturity as ‘attacked’.

If you have a Palo Alto firewall with the Authentication Portal enabled — any organisation using captive-portal login for guest Wi-Fi or contractor access — you are in scope. Patches are rolling out in waves: 11.1.4-h33, 11.1.10-h25, 11.1.13-h5, 11.2.7-h13, 11.2.10-h6 and 12.1.4-h5 landed on 13 May, with the remaining branches due by 28 May. Prisma Access, Cloud NGFW and Panorama are not affected.

Why this matters for Australian businesses

This is a textbook ‘patch this week’ situation. A firewall compromise gives an attacker root on the device that sits between your users and the internet — pivoting into the internal network, harvesting credentials and turning off logging from there is well-documented. With Privacy Act reforms and mandatory ransomware reporting now in force, a breach via your perimeter device is also a notification event, not just a technical clean-up.

What to do today

Confirm the PAN-OS version on every firewall, schedule the fixed hotfix as soon as it’s available for your branch, and in the meantime restrict the Authentication Portal to trusted internal IPs only — or disable it entirely if it’s not in use. If you don’t know who patches your firewall, that’s a conversation worth having before the weekend. See how our cybersecurity team handles patch management for managed clients.