Palo Alto Networks has disclosed a critical remote code execution vulnerability in PAN-OS that is actively being exploited in the wild. The unpatched flaw affects the User-ID Authentication Portal.
Palo Alto Networks alerted customers to a critical-severity zero-day vulnerability in its PAN-OS User-ID Authentication Portal that threat actors are actively exploiting in targeted attacks.
The vulnerability allows unauthenticated attackers to execute arbitrary code remotely on affected devices. Users of the authentication portal feature in PAN-OS deployments are at immediate risk.
Palo Alto Networks has not released patches as of the warning date. The company advised customers to implement mitigations immediately, including disabling the User-ID Authentication Portal if it is not required, or restricting network access to trusted sources only.
The company is working on fixes and has not disclosed specific version numbers affected, though it typically impacts multiple PAN-OS releases. Organizations running vulnerable configurations should prioritize this threat in their patching schedules.
This marks another critical vulnerability in enterprise security infrastructure. Palo Alto Networks firewalls are widely deployed across organizations globally, making zero-day flaws in these systems particularly concerning for IT teams. The active exploitation means attackers have already developed working exploits.
Organizations should review their PAN-OS deployments immediately to determine if they use the User-ID Authentication Portal feature. Those that do should implement the recommended mitigations without delay. Palo Alto Networks will provide updates as patches become available.
Customers are advised to monitor Palo Alto Networks' security advisories and apply updates as soon as they are released. In the interim, network segmentation and access controls are essential defensive measures.
U.S. federal prosecutors have unsealed charges against three Russian nationals accused of operating a bulletproof hosting service that supported ransomware gangs responsible for over $62 million in damages worldwide.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) warned that attackers are actively exploiting three vulnerabilities in Internet-exposed on-premises SharePoint Server instances. Organizations running affected versions must patch immediately.
Tailscale disclosed a critical vulnerability in its SSH implementation that allowed attackers to gain root access through insecure argument handling. The flaw has been patched in recent versions.
A new study found that social media platforms referred over 5.7 million visits to nonconsensual deepfake pornography sites between December 2025 and March 2026, with YouTube and X accounting for the majority of traffic.