A critical buffer overflow vulnerability, CVE-2026-0300, in the User-ID™ Authentication Portal of PAN-OS software, with a CVSS 4.0 score of 9.3 (CRITICAL) and active exploitation already confirmed in the wild targeting internet-exposed firewalls.
Published on May 6, 2026, this zero-day vulnerability is among the most severe PAN-OS security disclosures of the year, affecting PA-Series and VM-Series firewalls across multiple software branches.
With no authentication required and no user interaction needed, this vulnerability allows a remote attacker to seize complete root-level control of enterprise-grade firewalls through a single, specially crafted network packet.
CVE-2026-0300: Critical PAN-OS Vulnerability
CVE-2026-0300 is a CWE-787 (Out-of-Bounds Write) buffer overflow vulnerability in the User-ID™ Authentication Portal service, commonly referred to as the Captive Portal, within Palo Alto Networks PAN-OS software.
The flaw is triggered when an unauthenticated attacker sends maliciously crafted packets to the Authentication Portal endpoint, causing the service to write data beyond its allocated memory buffer.
Classified under CAPEC-100 (Overflow Buffers), the exploit mechanism requires zero privileges and zero user interaction. It carries a full “Automatable: YES” designation, meaning it can be weaponized at scale across multiple targets simultaneously.
The consequence is devastating: successful exploitation grants an attacker arbitrary code execution with root privileges on the underlying PA-Series or VM-Series firewall hardware.
Root access to a next-generation firewall means an adversary can intercept all network traffic, modify routing and security policies, plant persistent backdoors, and pivot laterally across the entire network infrastructure the device protects.
Affected Versions
The vulnerability impacts PA-Series and VM-Series firewalls running PAN-OS versions 10.2, 11.1, 11.2, and 12.1 but only when the User-ID™ Authentication Portal feature is enabled. Critically, Prisma Access, Cloud NGFW, and Panorama appliances are confirmed to be unaffected.
Affected PAN-OS branches include:
- PAN-OS 12.1: Versions below 12.1.4-h5 and below 12.1.7
- PAN-OS 11.2: Versions below 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12
- PAN-OS 11.1: Versions below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15
- PAN-OS 10.2: Versions below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6
Organizations can verify exposure by navigating to Device > User IdentiDevice > Authentication Portal Settings in the PAN-OS admin console and checking whether “Enable Authentication Portal” is toggled on.
Active Exploitation
Palo Alto Networks has confirmed limited exploitation in the wild, specifically targeting organizations where the User-ID™ Authentication Portal is exposed to untrusted IP addresses or the public internet.
This active exploitation status, combined with the CVSS 4.0 Exploit Maturity designation of “ATTACKED” and an urgency rating of HIGHEST, places this vulnerability in the top tier of enterprise security threats requiring immediate incident response.
The attack vector is purely network-based (AV:N), the attack complexity is low (AC:L), and there are no attack prerequisites (AT:N), meaning any threat actor with basic scripting capability can exploit this flaw against exposed portals without needing insider knowledge or an existing foothold.
The damage envelope encompasses HIGH confidentiality, HIGH integrity, and HIGH availability impact to the affected product, the worst possible trifecta for a perimeter security device.
Palo Alto Networks has published two distinct severity assessments based on network exposure configuration:
- CRITICAL (CVSS-BT: 9.3) – When the User-ID™ Authentication Portal is accessible from the internet or any untrusted network, the full attack vector is Network (AV:N), making remote exploitation trivial.
- HIGH (CVSS-BT: 8.7) – When the portal is restricted to adjacent/internal network access only (AV:A), the risk remains severe but substantially harder to exploit from the internet.
This scoring distinction underscores the critical role of network segmentation and access control policies as a first-line defensive mechanism, even before patches become available.
Official patches are rolling out in scheduled releases through May 2026. Palo Alto Networks has also deployed Threat Prevention Signatures for all customers running PAN-OS 11.1 and above, available as of May 5, 2026, to detect and block exploitation attempts in transit.
| PAN-OS Version | Patch ETA |
|---|---|
| 12.1.4-h5 / 12.1.7 | May 13 / May 28 |
| 11.2.4-h17, 11.2.10-h6 | May 13 |
| 11.2.7-h13, 11.2.12 | May 13 / May 28 |
| 11.1.4-h33, 11.1.10-h25, 11.1.13-h5 | May 13 |
| 10.2.10-h36, 10.2.18-h6 | May 13 |
Mitigation
Until patches are applied, Palo Alto Networks strongly recommends two workarounds:
- Restrict Authentication Portal access to trusted internal IP addresses only by following Step 6 of Palo Alto’s Live Community article on securing management interfaces.
- Disable the User-ID™ Authentication Portal entirely if the organization does not require it operationally.
Security teams should also immediately audit internet-facing firewall configurations, review access control lists for the Captive Portal service, and monitor for anomalous traffic patterns indicative of buffer overflow exploits targeting the Authentication Portal endpoint.
FAQ
Q1: What is CVE-2026-0300?
It is a critical CVSS 9.3-rated buffer overflow in PAN-OS’s User-ID™ Authentication Portal that allows unauthenticated remote attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls.
Q2: Which Palo Alto Networks products are affected by CVE-2026-0300?
Only PA-Series and VM-Series firewalls running PAN-OS 10.2, 11.1, 11.2, or 12.1 with the User-ID™ Authentication Portal enabled are affected; Prisma Access, Cloud NGFW, and Panorama are not impacted.
Q3: Is CVE-2026-0300 being actively exploited?
Yes, Palo Alto Networks has confirmed limited in-the-wild exploitation targeting Authentication Portals exposed to untrusted networks and the public internet, with exploit maturity classified as “ATTACKED.”
Q4: What is the immediate fix for CVE-2026-0300 before the patch is available?
Organizations should immediately restrict Authentication Portal access to trusted internal IP addresses only, or turn off the portal entirely if not needed, while awaiting official PAN-OS hotfix releases scheduled between May 13–28, 2026.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
