A critical zero-day vulnerability in its PAN-OS firewall operating system, tracked as CVE-2026-0300, that is already being actively exploited in the wild. The flaw carries a CVSS 4.0 score of 9.3 (CRITICAL).
It allows unauthenticated remote attackers to execute arbitrary code with full root privileges on affected PA-Series and VM-Series firewalls with no credentials, no user interaction, and no special preconditions required.
CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, setting a remediation due date of May 9, 2026, and mandating federal agencies apply mitigations under BOD 22-01.
CVE-2026-0300 is an out-of-bounds write vulnerability (CWE-787) in the User-ID Authentication Portal also known as the Captive Portal service in Palo Alto Networks PAN-OS software. The portal is a non-default PAN-OS component that maps IP addresses to user identities, primarily used during the authentication phase for unknown traffic traversing the firewall.
When this service is exposed to untrusted networks or the public internet, an unauthenticated attacker can send specially crafted network packets to trigger a buffer overflow condition, which ultimately yields arbitrary code execution running with root-level privileges on the targeted device.
CVE-2026-0300: Palo Alto PAN-OS Zero-Day Vulnerability
Palo Alto Networks first published the advisory on May 5, 2026. They updated it on May 6, 2026, confirming that limited exploitation had already been observed in the wild, specifically targeting Authentication Portals accessible from the public internet or untrusted IP addresses.
The vulnerability was discovered “in production use,” meaning real-world attackers found and weaponized it before public disclosure. Exploitation is also described as automatable, a detail that significantly raises the threat level, since it means adversaries could conduct large-scale scanning and mass-exploitation campaigns without manual intervention.
At the core of CVE-2026-0300 is a memory safety failure in the User-ID Authentication Portal service’s handling of incoming network packets. By sending malformed or specially crafted packets to the exposed portal, an attacker can overflow a memory buffer.
Because the vulnerable service runs with root privileges by default, the overflow leads directly to arbitrary code execution at the highest OS level, effectively granting the attacker total control over the firewall. No authentication bypass is needed; no intermediate step is required. Network access to the portal interface is the only prerequisite.
An approximately 225,000 internet-facing PAN-OS instances are currently indexed on Shodan, creating a massive, exploitable attack surface for threat actors.
The attack vector is rated NETWORK, the attack complexity is LOW, and the privileges required are NONE, all factors that combine to make this vulnerability exceptionally dangerous in internet-exposed environments.
Affected PAN-OS Versions
The vulnerability impacts multiple supported PAN-OS release trains across PA-Series and VM-Series firewalls. Notably, Prisma Access, Cloud NGFW, and Panorama appliances are confirmed to be unaffected. The following version ranges are vulnerable:
PAN-OS 12.1 versions below 12.1.4-h5 and below 12.1.7 are affected, with patches expected May 13 and May 28, 2026, respectively. PAN-OS 11.2 versions below 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12 are impacted, with fix ETAs between May 13 and May 28, 2026.
PAN-OS 11.1 covers six vulnerable sub-builds (below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15), with patches rolling out from May 13 to May 28, 2026. PAN-OS 10.2 versions below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6 are also vulnerable across the same patching window.
Palo Alto Networks confirmed that limited in-the-wild exploitation has been observed, specifically targeting portals exposed to untrusted networks. While ransomware campaign involvement has not yet been confirmed, CISA has flagged the potential for ransomware abuse in its KEV catalog entry, which security teams must treat as a significant threat indicator.
Edge devices, such as network firewalls, are prime initial access vectors for ransomware operators, who leverage root-level RCE flaws to establish persistent footholds before pivoting laterally across enterprise environments.
eSentire has also issued a dedicated advisory characterizing the flaw as capable of enabling full device takeover, underscoring its value as a ransomware delivery mechanism should exploitation scale beyond current limited activity.
Mitigation
Since official patches are not yet available across all affected versions, Palo Alto Networks and security researchers strongly recommend applying the following workarounds without delay:
- Restrict portal access: Limit User-ID Authentication Portal access to only trusted internal zones; disable Response Pages in the Interface Management Profile on all internet-facing interfaces.
- Turn off the portal entirely: If the Authentication Portal is not actively required, turn it off via Device > User Identification > Authentication Portal Settings > uncheck “Enable Authentication Portal.”
- Apply Threat Prevention signature: Customers running PAN-OS 11.1 or later with a Threat Prevention should enable Threat ID 510019 from Applications and Threats content version 9097-10022 to block exploitation attempts.
- Audit exposure immediately: Use Shodan or internal inventory tools to identify all internet-exposed PAN-OS instances and check whether the Authentication Portal is enabled and reachable externally.
FAQ
Q1: What is CVE-2026-0300 in Palo Alto PAN-OS?
CVE-2026-0300 is a critical, unauthenticated buffer overflow (CWE-787) in the PAN-OS User-ID Authentication Portal that allows remote root-level code execution on PA-Series and VM-Series firewalls.
Q2: Is CVE-2026-0300 being actively exploited right now?
Yes, Palo Alto Networks and CISA have both confirmed limited in-the-wild exploitation targeting Authentication Portals exposed to untrusted networks and the public internet.
Q3: Which PAN-OS versions are affected by CVE-2026-0300?
PAN-OS versions across the 10.2, 11.1, 11.2, and 12.1 release trains are affected; Prisma Access, Cloud NGFW, and Panorama are not impacted.
Q4: What is the fastest fix for CVE-2026-0300 before an official patch is released?
Either restrict portal access to trusted internal IP zones or disable the User-ID Authentication Portal entirely via Device > User Identification > Authentication Portal Settings.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
