Overview
Palo Alto Networks has confirmed that CVE-2026-0300, a critical PAN-OS vulnerability with a CVSS score of 9.3, is actively exploited in the wild. The flaw is a buffer overflow in the User-ID™ Authentication Portal — also known as the Captive Portal service — of PAN-OS software, allowing an unauthenticated attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted packets.
Patches are not yet available. This is a live zero-day with confirmed in-the-wild exploitation.
Vulnerability Mechanics
CVE-2026-0300 is mapped to CWE-787 (Out-of-Bounds Write). The access model is pre-auth and network-reachable — an attacker requires no credentials to reach the vulnerable code path if the portal is accessible, and successful exploitation results in arbitrary code execution with root privileges.
The full CVSS 4.0 vector is: AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A — Attack Vector: Network, Attack Complexity: Low, No Privileges Required, No User Interaction, Automatable: Yes, Exploit Maturity: Attacked.
In plain terms: send crafted packets to an exposed Captive Portal endpoint → trigger out-of-bounds write → overwrite memory → achieve root-level code execution. No authentication step. No user click. Fully automatable.
Affected Products
This issue applies exclusively to PA-Series and VM-Series firewalls configured to use the User-ID™ Authentication Portal. Prisma Access, Cloud NGFW, and Panorama appliances are not impacted.
To verify exposure, check: Device > User Identification > Authentication Portal Settings → Enable Authentication Portal.
Affected PAN-OS Version Branches:
Based on the official Palo Alto advisory:
- PAN-OS 12.1 — Versions below 12.1.4-h5 and 12.1.7
- PAN-OS 11.2 — Versions below 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12
- PAN-OS 11.1 — Versions below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15
- PAN-OS 10.2 — Versions below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6
Exploitation Status
The vulnerability has reached the “ATTACKED” stage in exploit maturity, indicating real-world attacks have been observed. Evidence shows limited exploitation, particularly targeting systems where the User-ID Authentication Portal is exposed to untrusted networks or the public internet. Discovered in production use — not through a researcher submission.
For enterprises, the higher-risk scenario is a PA or VM firewall with Captive Portal enabled and reachable from untrusted networks.
Attribution of threat actors behind current exploitation has not been officially disclosed.
Patch Timeline
Palo Alto Networks is actively developing firmware updates for CVE-2026-0300. Patched releases are scheduled for a staggered rollout between May 13 and May 28, 2026, with timing varying by PAN-OS version branch.
First-wave hotfixes (May 13): 12.1.4-h5, 11.2.7-h13, 11.2.10-h6, 11.1.4-h33, 11.1.6-h32, 11.1.10-h25, 11.1.13-h5, 10.2.10-h36, 10.2.18-h6
Second-wave hotfixes (May 28): 12.1.7, 11.2.4-h17, 11.2.12, 11.1.7-h6, 11.1.15, 10.2.7-h34, 10.2.13-h21, 10.2.16-h7
Immediate Mitigations
Until patches land, the priority action is exposure reduction:
- Restrict Captive Portal access — Limit User-ID Authentication Portal to trusted internal IP ranges only. Remove all internet-facing exposure immediately.
- Disable if unused — If Captive Portal is not operationally required, disable it outright via Device > User Identification > Authentication Portal Settings.
- Firewall rule audit — Review perimeter rules for any path that permits untrusted traffic to reach the portal service. Close them.
- Threat prevention signatures — Palo Alto Networks has released threat prevention content to detect exploitation attempts. Ensure Threat Prevention subscription is active and signatures are current.
- Monitor for anomalous root-level activity — On affected firewalls, watch for unexpected process spawning, configuration changes, or lateral movement originating from the firewall itself.
Per Palo Alto’s own advisory, restricting access to only trusted internal IP addresses per their best practice guidelines significantly reduces the risk of this issue.
Contextual Note
CVE-2026-0300 follows a pattern of critical, remotely exploitable vulnerabilities in network appliances that are often internet-facing. Palo Alto previously patched related Captive Portal flaws — CVE-2024-0011 and CVE-2023-0010 — though both were XSS issues of medium severity. CVE-2026-0300 is orders of magnitude more severe due to its unauthenticated, pre-auth remote code execution nature.
A compromised perimeter firewall is not just an endpoint loss — it is full network visibility compromise. The attacker gains root on the device that sees all east-west and north-south traffic.
