The cybersecurity community is on high alert as Palo Alto Networks has confirmed a critical, unpatched vulnerability in its PAN-OS software that is currently being exploited in the wild.
Tracked as CVE-2026-0300, this vulnerability is a severe buffer overflow flaw that allows an unauthenticated attacker to achieve Remote Code Execution (RCE) with maximum system privileges. With active, albeit limited, exploitation already observed by threat actors, organizations utilizing PA-Series and VM-Series firewalls must act immediately.
Here is a breakdown of the vulnerability, the risk factors, and the immediate steps you should take to defend your network edge.
The Vulnerability: CVE-2026-0300 Explained
At its core, CVE-2026-0300 (CWE-787: Out-of-bounds Write) resides within the User-ID Authentication Portal (also known as the Captive Portal) service of PAN-OS.
By sending specially crafted network packets to the portal, an unauthenticated attacker can trigger a buffer overflow. Because of how the service handles memory, the attacker can leverage this overflow to execute arbitrary malicious code. Alarmingly, this code executes natively with root privileges, effectively handing total control of the firewall over to the attacker.
The severity of the flaw depends entirely on how the firewall is configured:
- Critical Risk (CVSS 9.3): If the User-ID Authentication Portal is exposed to the public internet or any untrusted network.
- High Risk (CVSS 8.7): If access to the portal is securely restricted to trusted internal IP addresses.
Active Exploitation & Affected Versions
According to the official advisory, threat actors are actively scanning for and exploiting internet-facing User-ID portals. Because firewalls act as the primary defense perimeter, compromising a PA-Series or VM-Series device grants attackers an incredibly powerful beachhead to launch lateral movements deep into an organization's internal network.
The vulnerability impacts various versions of PAN-OS, specifically:
- PAN-OS 12.1: < 12.1.4-h5, < 12.1.7
- PAN-OS 11.2: < 11.2.4-h17, < 11.2.7-h13, < 11.2.10-h6, < 11.2.12
- PAN-OS 11.1: < 11.1.4-h33, < 11.1.6-h32, < 11.1.7-h6, < 11.1.10-h25, < 11.1.13-h5, < 11.1.15
- PAN-OS 10.2: < 10.2.7-h34, < 10.2.10-h36, < 10.2.13-h21, < 10.2.16-h7, < 10.2.18-h6
Note: Prisma Access, Cloud NGFW, and Panorama appliances are not affected by this vulnerability.
Immediate Mitigations and Workarounds
Currently, there is no official patch available for CVE-2026-0300. Palo Alto Networks has announced that hotfixes and patched versions will begin rolling out starting May 13, 2026.
In the absence of a patch, organizations are strongly advised to apply the following workarounds immediately to break the attack chain:
- Restrict Access (Recommended): Lock down the User-ID Authentication Portal so it is only accessible from trusted, internal network zones. Do not leave this portal exposed to the WAN/Internet.
- Disable the Portal: If your organization does not actively require the User-ID Authentication Portal, disable it entirely via the PAN-OS administrative settings (
Device > User Identification > Authentication Portal Settings). - Apply Threat Signatures: For customers running PAN-OS 11.1 and above, Palo Alto has released an emergency Threat Prevention Signature to block the exploitation attempts. Ensure your threat prevention feeds are up to date.
MITRE ATT&CK Matrix Mapping
Based on the nature of the buffer overflow and the observed initial access vectors, below is a mapping of the threat actor TTPs associated with the exploitation of CVE-2026-0300.
| Tactic | Technique ID | Technique Name | Threat Actor Implementation |
|---|---|---|---|
| Initial Access | T1190 | Exploit Public-Facing Application | Attackers target and send specially crafted packets to internet-exposed PAN-OS User-ID Authentication Portals. |
| Execution | T1203 | Exploitation for Client/Server Execution | Triggers a buffer overflow (CWE-787: Out-of-bounds Write) within the Captive Portal service to execute malicious shellcode. |
| Privilege Escalation | T1068 | Exploitation for Privilege Escalation | The successful exploitation of the service inherently grants the attacker execution capabilities with root privileges. |
| Defense Evasion | T1562 | Impair Defenses | By compromising the perimeter firewall and gaining root access, attackers can modify or disable network logging, routing, and threat prevention features. |
| Discovery | T1046 | Network Service Discovery | Attackers actively scan the public IPv4 space to identify responsive PAN-OS portals prior to exploitation. |
Final Thoughts
CVE-2026-0300 is a stark reminder of the risks associated with exposing administrative or authentication interfaces to the public internet. Perimeter security devices are high-value targets for advanced persistent threats (APTs) and ransomware syndicates alike. We urge all network administrators to review their PAN-OS configurations today and restrict portal access before patches become available.
Credits: This post is based on the official Palo Alto Networks Security Advisory. For original details, please refer to the Palo Alto Networks Advisory for CVE-2026-0300.