Palo Alto Networks has warned about a critical zero-day vulnerability in PAN-OS that is already being exploited in limited ways against firewalls exposed to untrusted networks or directly to the Internet. The flaw, identified as CVE-2026-0300, affects the User-ID Authentication Portal, also known as Captive Portal, a feature used to authenticate users when the firewall cannot automatically associate an identity with an IP address.
The severity of the issue lies in the combination of three factors: it requires no authentication, can be exploited over the network, and allows arbitrary code execution with root privileges on PA-Series and VM-Series firewalls through specially crafted packets. Palo Alto Networks assigns a CVSS 4.0 score of 9.3 and a “highest” urgency level in its security advisory.
A vulnerability in a sensitive firewall function
The User-ID Authentication Portal is part of PAN-OS’s user identification mechanisms. In many corporate networks, firewalls not only enforce rules based on IP or port but also on user identity, group, application, or context. When the system cannot automatically map an IP to a user, this function can prompt for authentication to complete that association.
This design is useful in corporate environments, but it becomes dangerous if the portal is accessible from the Internet or untrusted zones. Palo Alto Networks states that the risk is greatly reduced when best practices are followed, and access to such sensitive portals is restricted to internal trusted networks. The company has confirmed limited exploitation targeting portals exposed to untrusted IP addresses or the public Internet.
The vulnerability is described as a buffer overflow, specifically an out-of-bounds write, classified as CWE-787. In practice, an unauthenticated remote attacker could send manipulated packets to trigger code execution with root privileges. This represents one of the most severe situations for a perimeter firewall: the device meant to protect the network could become its entry point.
According to Palo Alto Networks, Prisma Access, Cloud NGFW, and Panorama appliances are not affected by this vulnerability. The issue is limited to PA-Series and VM-Series firewalls with PAN-OS configured to use the User-ID Authentication Portal under specific exposure conditions.
Which versions are affected and how to check exposure
Palo Alto Networks has published a table listing affected versions and expected correction releases for PAN-OS 12.1, 11.2, 11.1, and 10.2. The first updates are scheduled for 05/13/2026 across several branches, with others expected on 05/28/2026, according to the official calendar included in the advisory. NHS England also mentions these dates and recommends applying patches as soon as they become available.
The manufacturer explains that an organization is exposed if two conditions are met. First, the User-ID Authentication Portal is enabled via Device > User Identification > Authentication Portal Settings > Enable Authentication Portal. Second, an interface management profile with Response Pages enabled exists and is associated with an external or Internet-accessible interface.
Until patches are available, a priority mitigation is to restrict access to the User-ID Authentication Portal only to trusted zones and to disable Response Pages in interface management profiles associated with zones where untrusted traffic may enter. If the portal is unnecessary, Palo Alto Networks recommends disabling it.
The company also suggests an additional measure for Threat Prevention subscribers: enable Threat ID 510019 from the Applications and Threats content version 9097-10022. Support for this ID requires PAN-OS 11.1 or newer due to decoding capabilities. This can help block exploitation attempts but does not replace the need for a proper fix once the patch is released.
| Key Point | Details |
|---|---|
| CVE | CVE-2026-0300 |
| Affected Product | PAN-OS on PA-Series and VM-Series |
| Vulnerable Function | User-ID Authentication Portal / Captive Portal |
| Vulnerability Type | Buffer overflow / Out-of-bounds write |
| Impact | Remote code execution with root privileges |
| Authentication required | No |
| Exploitation observed | Yes, limited and against exposed portals |
| Immediate mitigation | Restrict to trusted zones or disable portal |
| Unaffected systems | Prisma Access, Cloud NGFW, and Panorama |
Exposed firewalls and a delicate window of risk
The existence of active, although limited, exploitation changes the response priority. This is not a theoretical vulnerability or one that can be deferred to the next maintenance cycle. CERT-EU has recommended applying mitigations until patches are available and updating affected devices as soon as corrected versions are released.
BleepingComputer cites Shadowserver data indicating over 5,800 exposed PAN-OS VM-Series firewalls on the Internet, mainly in Asia with 2,466, and North America with 1,998. This number does not automatically translate to vulnerable systems for CVE-2026-0300, as it depends on specific configurations of the Authentication Portal and Response Pages, but it illustrates the potential surface of exposure for such devices.
Firewalls are particularly attractive targets because they sit at the network edge and often have privileged visibility. A compromise at this level can enable persistence, lateral movement, traffic interception, rule manipulation, or access to internal systems. Vulnerabilities in perimeter devices are thus quickly exploited, especially when credential-less attacks are possible.
The recent history does not help ease concerns. PAN-OS firewalls have frequently been targeted in campaigns exploiting zero-day flaws or exposed sensitive interfaces. BleepingComputer recalls previous attacks against Palo Alto Networks devices, including chained vulnerabilities and exploits targeting management interfaces accessible from the Internet.
Administrators are advised to promptly check if the User-ID Authentication Portal is enabled, review which interfaces may receive external traffic, disable the portal if unnecessary, and restrict it strictly to internal networks if needed. It’s also prudent to monitor logs, look for anomalous activity on the portal, and prepare for a patch deployment as soon as it’s available.
In large environments, the greatest risk may not come from the primary, heavily monitored firewall, but from secondary appliances, labs, legacy setups, small branches, or virtual deployments that are exposed due to outdated configurations. A quick inventory of PA-Series and VM-Series versions, PAN-OS settings, and active functions can make the difference between an orderly mitigation and emergency response.
The key lesson remains: any management, authentication, or sensitive portal service at the perimeter should be treated as a critical surface. Even if a function makes sense within the network, exposing it to the Internet can turn a software bug into a direct compromise vector. Until patches are widespread, reducing exposure is the best defense.
Frequently Asked Questions
What is CVE-2026-0300?
It is a critical buffer overflow vulnerability in PAN-OS User-ID Authentication Portal that allows remote code execution with root privileges on certain PA-Series and VM-Series firewalls.
Does it affect all Palo Alto Networks firewalls?
No. It affects PA-Series and VM-Series devices with PAN-OS when the User-ID Authentication Portal is enabled and the devices are exposed to untrusted networks or the Internet under the conditions specified by the vendor.
Is a patch available?
Palo Alto Networks has indicated that the issue will be fixed in upcoming PAN-OS releases, with updates scheduled for 05/13/2026 and 05/28/2026. In the meantime, mitigations should be applied.
What should administrators do now?
Disable the User-ID Authentication Portal if not needed, restrict its access to trusted zones if in use, review Response Pages on exposed interfaces, enable Threat ID 510019 if applicable, and prepare to update once patches are released.