Weekly Threat Bulletin - May 13th, 2026
F5 Labs, Wednesday, May 13th, 2026
Critical Palo Alto Networks firewall zero-day (CVE-2026-0300) actively exploited by state-sponsored actors for nearly a month.
A critical-severity remote code execution zero-day vulnerability (CVE-2026-0300) in Palo Alto Networks PAN-OS User-ID Authentication Portal has been actively exploited since April 9, 2026, by suspected state-sponsored threat actors, allowing unauthenticated attackers to execute arbitrary code with root privileges.
Over 5,400 PAN-OS VM-series firewalls are exposed online, primarily in Asia and North America, with victims spanning multiple industries including government, healthcare, finance, and energy. Successful exploitation has led to deployment of Earthworm and ReverseSocks5 tunneling tools for covert communication, log cleanup, and network bypass.
Patches are anticipated starting May 13, 2026, with U.S. CISA mandating federal agencies secure vulnerable firewalls by May 9. Until patches are available, organizations are advised to restrict access to the User-ID Authentication Portal or disable it entirely.