Vulnerability Overview
Palo Alto Networks warned customers today that a critical unpatched vulnerability in PAN-OS is being actively exploited in attacks targeting internet-exposed firewalls. Tracked as CVE-2026-0300, the flaw is a buffer overflow in the User-ID Authentication Portal (also known as the Captive Portal) service that allows an unauthenticated attacker to execute arbitrary code with root privileges on affected PA-Series and VM-Series firewalls.
The vulnerability can be triggered remotely by sending specially crafted packets to the portal service. No credentials, user interaction, or prior access to the device is required. Palo Alto Networks describes the exploitation as automatable, and confirmed that limited exploitation has been observed targeting Authentication Portals exposed to untrusted IP addresses and the public internet.
No patch is currently available. Palo Alto Networks plans to release the first round of hotfixes on May 13, 2026, with a second round expected around May 28. In the interim, the company is urging customers to restrict or disable the vulnerable portal immediately. Internet threat watchdog Shadowserver is currently tracking over 5,800 PAN-OS VM-series firewalls exposed online, with the majority located in Asia (2,466) and North America (1,998).
Technical Details
CVE-2026-0300 is classified as an out-of-bounds write (CWE-787) in the User-ID Authentication Portal service within PAN-OS. This portal, also referred to as the Captive Portal, is used to identify unknown users by prompting them for credentials when the firewall cannot automatically map an IP address to a user identity. The vulnerability exists in the service's packet handling logic, where a buffer overflow can be triggered by sending specially crafted network packets.
Because the overflow occurs in a pre-authentication code path, no credentials are needed to reach the vulnerable function. Successful exploitation overwrites memory in a way that allows the attacker to redirect execution flow and run arbitrary code. The service runs with root privileges on the underlying PAN-OS platform, meaning a successful exploit grants the attacker full root access to the firewall.
The CVSS score varies depending on the exposure of the portal. When the Authentication Portal is accessible from the internet or any untrusted network, the score is 9.3 (Critical). When access is restricted to trusted internal IP addresses per Palo Alto's best practice guidelines, the score drops to 8.7. Prisma Access, Cloud NGFW, and Panorama appliances are not affected.
This vulnerability is currently unpatched. Palo Alto Networks is developing hotfixes with an estimated first release around May 13, 2026 and a second round around May 28. Organizations with exposed Authentication Portals should implement the workarounds described below immediately. For customers running PAN-OS 11.1 and above, Palo Alto has released an emergency Threat Prevention Signature to help block exploitation attempts.
Affected Versions
The vulnerability impacts multiple PAN-OS release trains. All versions listed below are vulnerable if the User-ID Authentication Portal is enabled. You can verify your configuration at Device → User Identification → Authentication Portal Settings → Enable Authentication Portal.
| PAN-OS Version | Affected Before | Fix ETA |
|---|---|---|
| PAN-OS 12.1 | < 12.1.4-h5, < 12.1.7 | May 13 / May 28 |
| PAN-OS 11.2 | < 11.2.4-h17, < 11.2.7-h13, < 11.2.10-h6, < 11.2.12 | May 13 / May 28 |
| PAN-OS 11.1 | < 11.1.4-h33, < 11.1.6-h32, < 11.1.7-h6, < 11.1.10-h25, < 11.1.13-h5, < 11.1.15 | May 13 / May 28 |
| PAN-OS 10.2 | < 10.2.7-h34, < 10.2.10-h36, < 10.2.13-h21, < 10.2.16-h7, < 10.2.18-h6 | May 13 / May 28 |
Recommendations
- Restrict access to the Authentication Portal immediately. Configure firewall policies to allow access to the User-ID Authentication Portal only from trusted internal IP addresses and zones. Do not leave this portal exposed to the internet or untrusted networks.
- Disable the portal if not required. If your organization does not actively use the User-ID Authentication Portal, disable it entirely via Device → User Identification → Authentication Portal Settings → Disable Authentication Portal.
- Apply Threat Prevention Signatures. For firewalls running PAN-OS 11.1 and above with an active Threat Prevention subscription, apply the emergency signature released by Palo Alto Networks to block known exploitation patterns.
- Monitor for indicators of compromise. Review firewall logs for unusual access patterns to the Authentication Portal, unexpected process executions, and connections to unknown external infrastructure. A compromised firewall running as root gives an attacker full visibility into network traffic.
- Apply patches as soon as they are available. The first round of hotfixes is expected around May 13, 2026. Subscribe to the Palo Alto Networks security advisory RSS feed to receive notifications when patches are published.
Context
Palo Alto Networks firewalls are among the most widely deployed perimeter security devices in enterprise environments. The combination of pre-authentication access, root-level code execution, and automatable exploitation makes CVE-2026-0300 an exceptionally dangerous vulnerability. As SOCRadar noted in its analysis, this vulnerability has the profile that advanced persistent threat groups and ransomware operators actively seek: a network edge device with pre-auth RCE that provides full visibility into traffic flows and lateral movement capability.
This is not the first time Palo Alto Networks has faced critical exploitation of its firewall products. The Tenable vulnerability database rates CVE-2026-0300 at a base score of 10.0, the maximum possible. The CISA Known Exploited Vulnerabilities catalog currently includes 13 Palo Alto product vulnerabilities, though CVE-2026-0300 has not yet been added. Organizations that fail to implement workarounds before patches become available should expect a surge in exploitation attempts as awareness of the vulnerability spreads.
