CVE-2026-0300 — a critical buffer overflow in Palo Alto Networks' PAN-OS firewall operating system — has been actively exploited by a likely state-sponsored threat actor since April 9, 2026, nearly a month before Palo Alto Networks disclosed it publicly. The flaw exists in the User-ID Authentication Portal (a PAN-OS feature that handles identity-based access control for users on the network) and allows unauthenticated remote attackers to execute arbitrary code with root privileges on exposed firewalls. No patch is yet available; the first fixes begin rolling out May 13, 2026.
CVE-2026-0300: Technical Details
CVE-2026-0300 is a buffer overflow vulnerability — a class of bug where a program writes more data to a fixed-length memory buffer than it can hold, corrupting adjacent memory and allowing attackers to redirect program execution to their own code. The overflow exists in the User-ID Authentication Portal, also called the Captive Portal — the PAN-OS component that intercepts and authenticates HTTP traffic from users whose identities the firewall cannot automatically determine through existing integration.
Palo Alto Networks' official advisory rates the flaw at a CVSS 4.0 score of 9.3 (Critical) when the portal is accessible from the internet or untrusted networks. CVSS (Common Vulnerability Scoring System — a standardized 0–10 scale used industry-wide to communicate the severity of security vulnerabilities) drops to 8.7 (High) when portal access is restricted to trusted internal IP addresses only. The score reflects: a network-accessible attack vector, low attack complexity, no privileges required, and no user interaction needed. An attacker sends specially crafted network packets to the exposed portal and achieves RCE (Remote Code Execution — the ability to run arbitrary commands on the targeted system) at the root level — full operating-system control of the firewall.
On a network perimeter firewall, root-level RCE means the attacker controls the device managing all traffic flowing through it: installing persistent backdoors, modifying firewall rules, intercepting VPN credentials, or pivoting deeper into the protected network.
Affected PAN-OS versions span four active branches:
- PAN-OS 12.1: prior to 12.1.4-h5 and 12.1.7
- PAN-OS 11.2: prior to 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12
- PAN-OS 11.1: prior to 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15
- PAN-OS 10.2: prior to 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6
Not affected: Prisma Access, Cloud NGFW, and Panorama management appliances are explicitly confirmed unaffected.
Exploitation Status and Threat Landscape
CVE-2026-0300 is not a theoretical risk. According to Unit 42's threat brief, unsuccessful exploitation attempts against a PAN-OS device began on April 9, 2026. Approximately one week later, attackers successfully achieved RCE and injected shellcode into the device. This makes the active exploitation window nearly 28 days before public disclosure — a significant dwell time during which organizations had no way to know they were being targeted.
The exploitation campaign is attributed to a cluster tracked as CL-STA-1132 and assessed as "likely state-sponsored." While no named nation-state has been confirmed, the CL-STA cluster designation (Unit 42's designation for groups with probable state affiliation) indicates this is targeted, sophisticated intrusion against high-value network infrastructure — not opportunistic criminal activity.
CISA (U.S. Cybersecurity & Infrastructure Security Agency) added CVE-2026-0300 to its KEV (Known Exploited Vulnerabilities catalog — the U.S. government's authoritative list confirming active exploitation in the wild) on May 6, 2026. Federal Civilian Executive Branch (FCEB) agencies received a deadline of May 9, 2026 to apply mitigations — a 72-hour window reflecting the severity of the situation.
No public PoC (Proof-of-Concept — working exploit code published for testing or attack purposes) has been released, but state-sponsored actors demonstrably had a functional exploit for nearly a month. The absence of a public PoC does not reduce risk for organizations with exposed portals.
Who Is Affected
The vulnerability affects PA-Series hardware appliances and VM-Series virtual firewalls — but only when the User-ID Authentication Portal is accessible from the internet or an untrusted network zone. Organizations that have the portal accessible exclusively from trusted internal zones are at reduced risk but not entirely immune if a trusted zone is itself accessible to an attacker.
Palo Alto Networks firewalls are among the most widely deployed enterprise perimeter security products globally, with installations across financial services, critical infrastructure, healthcare, government, and large enterprises. The Rapid7 vulnerability analysis notes that the exposure scope is significant — organizations that have deployed internet-facing PA or VM-Series appliances with portal authentication should treat this as requiring immediate action regardless of their perceived risk exposure.
What You Should Do Right Now
No patch is currently available. Patches are rolling out between May 13 and May 28, 2026, depending on the PAN-OS branch. Until then:
- Restrict User-ID Authentication Portal access immediately. In PAN-OS: Device > User Identification > Authentication Portal Settings — ensure the portal is bound only to trusted internal zones and not to any internet-facing interface or untrusted zone. This drops your CVSS exposure from 9.3 to 8.7 and eliminates the most direct attack path.
- Disable the Authentication Portal entirely if your organization does not use User-ID portal-based authentication. Disabling it removes the attack surface completely.
- Apply patches as soon as they become available. Monitor Palo Alto Networks' security advisory for hotfix releases in your specific PAN-OS branch (patch availability varies by branch between May 13 and May 28).
- Check for indicators of compromise. If your portal was accessible from untrusted networks at any point after April 9, 2026, treat the device as potentially compromised. Review logs for: unexpected administrator account creation, new or modified policy rules, unusual outbound connections from the management plane, or shellcode injection signatures in memory.
- Rotate credentials. VPN credentials, authentication tokens, and secrets that may have transited through or been stored on a potentially compromised device should be considered exposed and rotated.
- FCEB agencies: CISA's May 9 deadline applies. Document mitigation actions taken and report to CISA per incident reporting requirements if the deadline cannot be met.
For network-level detection: look for PAN-OS authentication portal requests containing oversized payloads or malformed headers, and flag unexpected outbound connections from firewall management interfaces to external IP addresses.
Background: Understanding the Risk
Buffer overflow vulnerabilities in perimeter security devices have a long and damaging history. The same class of bug has driven critical RCEs in Fortinet FortiOS (CVE-2024-21762, CVSS 9.6), Citrix NetScaler (CVE-2023-4966, CVSS 9.4), and Check Point Security Gateways. When these vulnerabilities appear in firewalls and VPN gateways — the systems meant to stop attackers at the network perimeter — the consequences are disproportionate: the attacker is not just inside a server, they control the security boundary itself.
What makes CVE-2026-0300 particularly serious is the pre-disclosure exploitation window. State-sponsored actors had a working exploit for 28 days while defenders had no patch, no advisory, and no way to detect the specific attack vector. This "zero-day window" gave threat actors uncontested access against any organization with an exposed Authentication Portal during that period.
This mirrors the pattern from CVE-2024-3400 — a PAN-OS GlobalProtect command injection zero-day exploited by a Volt Typhoon-adjacent cluster in 2024, which achieved unauthenticated RCE on perimeter firewalls before patches were available. The lesson from that incident applies directly here: internet-accessible management and authentication interfaces on firewall appliances are high-value targets, and organizations that restrict or eliminate that exposure dramatically reduce their attack surface.
Conclusion
CVE-2026-0300 is actively exploited by state-sponsored actors, CISA has added it to the KEV catalog, and patches are not yet available. If your PA-Series or VM-Series firewall's User-ID Authentication Portal is accessible from the internet or any untrusted network, restrict or disable it immediately. If that exposure existed after April 9, 2026, investigate for compromise and rotate credentials. Patch when the May 13–28 fixes become available for your PAN-OS branch.
For any query contact us at contact@cipherssecurity.com
