Palo Alto Networks Warns of Actively Exploited Zero-Day in User-ID Authentication Portal

Palo Alto Networks has warned customers of an actively exploited zero-day vulnerability in the PAN-OS User-ID Authentication Portal.

What’s at Stake

The zero-day affects the User-ID service, a component used by Palo Alto firewalls to map user identities to IP addresses. This service is often exposed internally to authenticate users across enterprise networks. When enabled, the User-ID Authentication Portal listens on specific ports and processes authentication requests—making it a high-value target if reachable from outside the trusted network.

Attackers exploiting this flaw can gain unauthorized access to internal systems. The vulnerability allows Remote Code execution, meaning a hacker could run malicious commands on the firewall itself. That level of access could let them intercept traffic, disable security policies, or move laterally across the network.

Firewalls are supposed to be the last line of defense. When they’re compromised, everything behind them is exposed. In environments where the User-ID service is exposed to untrusted networks—even accidentally—risk increases dramatically.

Palo Alto has confirmed the vulnerability is under active attack. There’s no patch available yet. That means organizations must act now using workarounds or mitigations to reduce exposure.

Background: How User-ID Works—and Why It’s Risky

User-ID has been part of PAN-OS for over a decade. It was designed to solve a real problem: traditional firewalls only see IP addresses, not users. When hundreds of employees share a NAT gateway, assigning access rules by IP becomes impossible. User-ID bridges that gap by integrating with directory services like Microsoft Active Directory. It logs which user is assigned to which IP address, then feeds that data into the firewall’s policy engine.

The service runs in several modes. Some deploy it using agent-based collection, where small software agents on domain controllers forward login events to the firewall. Others use the User-ID Authentication Portal, which listens for direct authentication requests from clients or captive portals. It’s this portal that’s now compromised.

Over the years, Palo Alto has issued advisories about User-ID-related flaws before. In 2018, a directory traversal vulnerability (CVE-2018-15155) let attackers read arbitrary files. In 2020, a command injection bug (CVE-2020-2025) in the User-ID agent allowed full system compromise. Each time, attackers targeted the same weak point: a service that must parse untrusted input from internal systems but is sometimes exposed beyond its intended boundary.

The current zero-day follows that pattern. It’s not just about the technical flaw—it’s about the deployment model. User-ID was built for internal use. Yet in hybrid environments, misconfigurations happen. A cloud VPC might expose the portal to the internet. A third-party vendor might need access and get granted too much. That expansion of trust, without corresponding hardening, creates the attack surface.

What’s different now is the exploitation timeline. Past vulnerabilities were patched within weeks of disclosure. This one is already being exploited, and no fix is ready. That changes the game. Organizations can’t wait. They have to assume compromise if they’re exposed.

What This Means For You

If you run Palo Alto firewalls, you need to act immediately—even if you think you’re not vulnerable.

Scenario 1: The Enterprise with Distributed Offices
A national retail chain uses Palo Alto firewalls at each store location. The central IT team enabled the User-ID Authentication Portal so that local staff logins are tracked across the network. Store networks connect back to HQ via encrypted tunnels. What IT didn’t realize: each store’s portal is accessible from the internet due to a misconfigured NAT rule. Attackers scan for open User-ID ports, find dozens of exposed portals, and deploy web shells. From there, they pivot to the corporate network, exfiltrating customer data. The breach isn’t detected for weeks.

The fix? Disable the Authentication Portal everywhere it isn’t strictly necessary. Use agent-based User-ID instead. Audit firewall rules to ensure the service isn’t exposed externally. If you can’t disable it, restrict access via IP allowlists and monitor logs for unexpected connection attempts.

Scenario 2: The Tech Startup in Rapid Growth Mode
A fast-growing SaaS company uses Palo Alto firewalls to segment development, staging, and production environments. They recently onboarded a remote engineering team and set up a temporary VPN solution that relies on the User-ID portal for authentication. Security was deprioritized during the setup. Now, attackers exploit the zero-day to gain access to the firewall’s CLI. They modify NAT rules to forward internal API traffic to an external server. Over the next 48 hours, API keys and database credentials are siphoned off.

The lesson? Don’t use the User-ID Authentication Portal as an access control point for remote users. It’s not designed for that. Use a dedicated identity provider or SSO solution. In the short term, disable the portal and switch to agent-based mapping. Monitor PAN-OS logs for suspicious process execution or configuration changes.

Scenario 3: The Managed Security Service Provider (MSSP)
An MSSP manages firewalls for 50 clients. They use a centralized PAN-OS deployment with User-ID enabled across all customer environments. Because of shared infrastructure, a single compromised portal could give attackers access to multiple clients. The MSSP doesn’t have visibility into which clients have the Authentication Portal active. They’re blind to the risk.

For MSSPs, this is a Supply Chain nightmare. The response must be proactive. Run an immediate audit across all managed devices to identify instances where the portal is enabled. Disable it unless absolutely required. Communicate with clients about the risk. Update incident response playbooks to include firewall compromise scenarios. Assume that if one client is breached, others could follow.

Technical Details: What We Know (and Don’t Know)

Palo Alto has not released full technical details. That’s standard practice during active exploitation. But from the advisory, we know the vulnerability affects PAN-OS versions 9.1, 10.0, 10.1, 10.2, and 11.0. Devices running earlier versions aren’t impacted—but those versions are end-of-life and unsupported.

The flaw exists in the way the User-ID Authentication Portal handles certain HTTP requests. It’s a memory corruption issue, likely triggered by malformed input during the authentication handshake. Successful exploitation leads to root-level access on the underlying Linux-based OS. That means full control: attackers can install backdoors, disable logging, or alter security policies silently.

Indicators of compromise include unexpected child processes spawned from the User-ID daemon, unusual network connections from the firewall to external IPs, and log entries showing authentication attempts from unknown sources. Some organizations have reported seeing HTTP POST requests to /php/command.php—a known backdoor path used in previous PAN-OS breaches. That doesn’t confirm exploitation, but it’s a red flag.

There’s no workaround that fully eliminates risk. Palo Alto recommends disabling the User-ID Authentication Portal if it’s not required. If you need the service, restrict access using security policies that limit source IPs. But that only helps if your IP lists are accurate and up to date. In dynamic environments, that’s hard to maintain.

What Happens Next

Palo Alto Networks is working on a patch. They haven’t given a timeline. Given the severity, it could arrive in days, not weeks. But until then, the window of exposure remains open.

Here are the key questions that remain unanswered:

• How widespread is exploitation? We know attacks are happening, but not at what scale. Are we seeing targeted intrusions or broad scanning? If it’s the latter, thousands of devices could already be compromised.
• Are there known threat actors behind this? No group has claimed responsibility. But the targeting pattern—firewalls, high privilege, stealth—matches tactics used by state-backed hackers in the past. Could this be espionage? Data Theft? A prelude to ransomware?
• What’s the real impact of User-ID compromise? Gaining shell access is bad. But what can attackers do next? Can they decrypt traffic? Escalate to cloud control planes? Move to connected systems like SIEMs or endpoint protection platforms? The full blast radius isn’t clear yet.
• Will this affect future PAN-OS design? Palo Alto has downplayed the risk of User-ID in past advisories. This incident may force a rethink. Will they disable the Authentication Portal by default? Introduce stricter access controls? Or phase it out entirely in favor of modern identity protocols?

Organizations should assume the worst. If you’re running a vulnerable version and have the portal enabled, treat it as compromised until proven otherwise. Isolate the device from critical systems. Pull logs for forensic review. Run memory scans for known malware signatures tied to past PAN-OS exploits.

This isn’t just another vulnerability. It’s a reminder that even security tools can become attack vectors. The firewall is only as strong as its weakest service. And right now, User-ID is that weak spot.

Monitor Palo Alto’s advisory page for updates. Subscribe to their threat intelligence feed. Share indicators with your peer networks. In moments like this, information moves faster than patches.

You’ll want to act fast. Because the attackers already are.