A critical Palo Alto PAN-OS zero-day is being exploited in the wild

Palo Alto Networks disclosed a critical memory-corruption zero-day (CVE-2026-0300, CVSS 9.3) in the PAN-OS User-ID Authentication (captive portal) that allows unauthenticated attackers to achieve root remote code execution. The vendor and CISA report limited active exploitation, patches are not yet released (first fixes expected May 13), and customers are advised to apply mitigations immediately; no attribution or public indicators have been published.