Active Exploit of Palo Alto PAN-OS Flaw Allows Remote Code Execution
▼ Summary
– Palo Alto Networks warns of a critical buffer overflow vulnerability (CVE-2026-0300) in PAN-OS, exploited in the wild, allowing unauthenticated remote code execution with root privileges.
– The flaw affects PA-Series and VM-Series firewalls with the User-ID Authentication Portal exposed to the internet or untrusted networks, scoring a CVSS of 9.3 in exposed configurations.
– Exploitation is limited to instances where the portal is publicly accessible; the vulnerability is unpatched, with fixes planned starting May 13, 2026.
– Affected versions include multiple PAN-OS releases (10.2, 11.1, 11.2, 12.1) below specific hotfix or patch levels.
– CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on May 6, 2026, requiring FCEB agencies to apply fixes or mitigations by May 9, 2026.
Palo Alto Networks has issued an urgent warning about a critical buffer overflow vulnerability in its PAN-OS software that is already being actively exploited in real-world attacks.
The flaw, identified as CVE-2026-0300, enables unauthenticated remote code execution and carries a CVSS score of 9.3 when the User-ID Authentication Portal is exposed to the internet or any untrusted network. If access to the portal is limited to trusted internal IP addresses only, the severity drops to 8.7.
“A buffer overflow vulnerability in the User-ID Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets,” the company explained.
Palo Alto Networks confirmed that limited exploitation has been observed, specifically targeting deployments where the User-ID Authentication Portal remains publicly accessible. The following PAN-OS versions are affected:
- PAN-OS 12.1 – versions before 12.1.4-h5 and 12.1.7As of now, no official patch is available. Palo Alto Networks plans to begin releasing fixes on May 13, 2026. The company stressed that the vulnerability only affects PA-Series and VM-Series firewalls configured to use the User-ID Authentication Portal.“Customers following standard security best practices, such as restricting sensitive portals to trusted internal networks, are at a greatly reduced risk,” the advisory added.Until a patch is deployed, users are strongly advised to either restrict User-ID Authentication Portal access to trusted zones only or disable the feature entirely if it is not needed.Update: On May 6, 2026, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-0300 to its Known Exploited Vulnerabilities (KEV) catalog, mandating that Federal Civilian Executive Branch (FCEB) agencies apply the available fixes or mitigations by May 9, 2026.“This vulnerability is specific to a limited number of customers with their User-ID Authentication Portal (Captive Portal) exposed to the public internet or untrusted IP addresses,” a Palo Alto Networks spokesperson told The Hacker News. “We have observed limited exploitation of this issue and are working to release software fixes, with the first updates expected to be available on May 13, 2026.”“We have provided clear mitigation guidance to our customers to secure their environments immediately. This issue does not impact Cloud NGFW or Panorama appliances. We remain committed to a transparent, security-first approach to protect our global customer base.”
