Palo Alto Networks has confirmed a critical security vulnerability in PAN-OS that is already being actively exploited. The issue affects the User-ID / Captive Portal function, but only in environments where this feature has actually been configured. By default, the portal is not enabled, which means that not every PAN-OS installation is automatically exposed.
According to the vendor, the vulnerability could allow an unauthenticated attacker to send specially crafted packets and potentially execute code with highly privileged access on affected PA-Series and VM-Series firewalls. This makes the issue particularly sensitive for organizations that operate firewall environments with externally reachable authentication or portal services.
Palo Alto Networks has already acknowledged the issue, published mitigation guidance, and is preparing security updates for the affected PAN-OS branches. Depending on the specific version, patches are expected to become available in stages from mid-May through the end of May.
Until the relevant updates are installed, administrators are advised to reduce exposure immediately. The most direct mitigation is to disable the Captive Portal where it is not strictly required. If the feature must remain active, access should be limited to trusted internal zones or defined IP ranges.
The incident once again highlights how important configuration discipline and exposure management have become in modern firewall operations. Even security infrastructure itself can become a target when optional services are enabled and reachable from untrusted networks.
Cloud NGFW, Prisma Access and Panorama appliances are not affected according to the available information.
