CVE-2026-0300 (a critical buffer overflow vulnerability in Palo Alto Networks' PAN-OS firewall operating system, CVSS v3.1 score 9.3 — rated Critical) allows an unauthenticated remote attacker to execute arbitrary code with full root privileges on affected devices. As of May 7, 2026, no patch exists. CISA has confirmed active exploitation by adding CVE-2026-0300 to its Known Exploited Vulnerabilities catalog. First patches are scheduled to begin rolling out on May 13, 2026.
CVE-2026-0300: Technical Details
CVE-2026-0300 is a buffer overflow (a class of memory corruption vulnerability where an attacker writes data past the boundary of an allocated memory region, overwriting adjacent memory to hijack program execution flow) in the User-ID Authentication Portal component of PAN-OS — the operating system powering Palo Alto Networks' PA-Series hardware firewalls and VM-Series virtualized firewalls.
The vulnerable component is the Captive Portal subsystem: the web-facing interface that authenticates users before granting them network access. An unauthenticated attacker can deliver specially crafted packets to this portal, triggering the overflow and achieving Remote Code Execution (RCE — the ability to run arbitrary commands on the target system) with root-level privileges, giving full control over the device.
Palo Alto Networks has confirmed that exploitation is automatable. That means threat actors can script attacks and run them at scale across multiple targets, rather than requiring manual interaction with each device. This significantly elevates the risk of widespread opportunistic exploitation.
The CVSS v3.1 score of 9.3 reflects the following characteristics:
- Attack Vector: Network — exploitable remotely over the internet, no physical access required
- Privileges Required: None — no credentials or authenticated session needed
- Attack Complexity: Low — no special conditions or race conditions must be met
- Impact: High across Confidentiality, Integrity, and Availability — full system compromise possible
When the Authentication Portal is restricted to trusted internal IP ranges only (not internet-exposed), the environmental CVSS score adjusts to 8.7 (High). Both configurations warrant urgent action.
Palo Alto Networks has not publicly attributed exploitation to any specific threat actor or ransomware group. The company characterizes the observed exploitation as currently "limited," targeting internet-exposed User-ID Authentication Portals.
Exploitation Status and Threat Landscape
CVE-2026-0300 has been confirmed as actively exploited via inclusion in CISA's Known Exploited Vulnerabilities (KEV) catalog — CISA (the U.S. Cybersecurity and Infrastructure Security Agency) maintains this list to signal that a vulnerability has been observed being weaponized in real-world attacks, not just disclosed theoretically. Inclusion in the KEV catalog also triggers mandatory remediation timelines for U.S. federal civilian executive branch agencies under CISA Binding Operational Directive 22-01.
Security research firm VulnCheck assessed that detection rules "will likely start to fire in third-party organizations and honeypots shortly," indicating that exploitation attempts are expanding beyond the initial wave. Caitlin Condon, VulnCheck's Vice President of Security Research, characterized CVE-2026-0300 as requiring immediate defensive action regardless of current exploitation scale.
Security firm watchTowr independently prioritized CVE-2026-0300 through its Instinct platform, deploying its Adversary Sight engine to identify affected instances across managed client environments. watchTowr CEO Benjamin Harris confirmed that AI-driven rapid-reaction capabilities were used to surface exposure across client networks immediately following disclosure.
No public Proof-of-Concept (PoC — working exploit code released openly that enables others to reproduce an attack) has been published as of this writing. However, the automatable nature of the exploit and CISA KEV confirmation indicates that weaponized capability exists in private threat actor hands.
Analysis of internet-facing PAN-OS infrastructure has identified over 5,800 VM-Series instances publicly exposed — though not all will have the Authentication Portal enabled or accessible from untrusted networks. Even a fraction of these represent high-value targets given that firewalls sit at the perimeter of sensitive enterprise and government networks.
Who Is Affected
Vulnerable PAN-OS versions:
- PAN-OS 12.1 (before 12.1.4-h5 and 12.1.7)
- PAN-OS 11.2 (multiple sub-versions — consult the Palo Alto Networks security advisory)
- PAN-OS 11.1 (multiple sub-versions)
- PAN-OS 10.2 (multiple sub-versions)
The vulnerability affects PA-Series hardware firewalls and VM-Series virtualized firewalls where the User-ID Authentication Portal (Captive Portal) is enabled and accessible from untrusted networks. Organizations are at maximum risk when this portal is internet-exposed.
Not affected:
- Prisma Access (Palo Alto's cloud-delivered security service)
- Cloud NGFW (cloud-native next-generation firewall)
- Panorama (centralized management platform)
Organizations running the Authentication Portal restricted to internal-only IP ranges face a reduced but not zero risk. Organizations with the portal reachable from the internet should treat potentially exposed devices as compromised until a forensic review is completed.
High-risk sectors include financial services, government agencies, healthcare, energy, and managed security service providers — all of which frequently deploy PAN-OS firewalls as primary network perimeter controls.
What You Should Do Right Now
- Restrict portal access immediately. In the PAN-OS management console, navigate to Device > User Identification > Authentication Portal Settings and limit access to trusted internal IP ranges. If the Captive Portal is not actively in use for your environment, disable it entirely. This is the single highest-impact mitigation available before patches arrive.
- Apply patches as soon as they release. Palo Alto Networks' patch rollout begins May 13, 2026, with additional version coverage on May 28, 2026. Subscribe to Palo Alto Networks security advisories to receive release notifications and verify the correct patched version for your specific PAN-OS branch.
- Inventory all internet-exposed Authentication Portals. Audit your environment to identify every PAN-OS appliance with a portal accessible from untrusted networks. Cross-reference with your asset inventory and ensure access is being actively restricted on all affected devices.
- Enable threat logging and monitor portal traffic. Review PAN-OS threat logs for anomalous POST requests to the Captive Portal URL, unexpected authentication attempts from external IP ranges, and processes unexpectedly spawning from portal services. The following CLI command checks portal status:
# PAN-OS CLI — confirm captive portal configuration
show running security-policy | match captive-portal
# Check Authentication Portal listener status
show system info | match portal
- Run a forensic review on exposed devices. Any PAN-OS appliance with the portal internet-exposed should be treated as potentially compromised. Use Palo Alto Networks' Device Telemetry collection to baseline device state and look for signs of unauthorized modification.
- Federal agencies: treat this as a 48-hour priority. CISA BOD 22-01 requires federal civilian executive branch agencies to remediate KEV-listed vulnerabilities on mandated timelines. Given active exploitation and a CVSS of 9.3, this warrants emergency change control and immediate escalation to CISO level.
Background: Understanding the Risk
Buffer overflow vulnerabilities in firewall operating systems represent the highest-severity class of security flaw in enterprise network architecture. A firewall occupies the boundary between trusted and untrusted networks — precisely the position an attacker most wants to control. Root-level execution on a perimeter firewall gives an attacker the ability to:
- Inspect and modify all traffic traversing the device, including sessions that would otherwise be protected by SSL/TLS inspection policies
- Alter or disable security policies, selectively blinding the firewall to subsequent attack traffic
- Establish persistent backdoors within PAN-OS configuration that survive reboots
- Pivot into internal networks that were previously isolated behind the firewall, reaching servers, databases, and endpoints
Palo Alto Networks firewalls are among the most widely deployed enterprise perimeter security appliances globally. This is not the first critical RCE affecting PAN-OS. CVE-2024-3400 — a command injection vulnerability in the GlobalProtect Gateway — was exploited by nation-state threat actors within days of disclosure in April 2024, affecting tens of thousands of organizations worldwide before patches were widely applied. The exploitation pattern for CVE-2026-0300 appears to be tracking a similar timeline.
The Authentication Portal is a component that, by design, often must be reachable from end-user networks for organizations that enforce captive portal authentication. This creates operational tension: the mitigation (restrict access) directly conflicts with the legitimate use case for which the portal was deployed. Organizations that cannot immediately restrict access without disrupting operations should escalate this to executive and network operations leadership as a P1 incident.
Conclusion
CVE-2026-0300 is an unauthenticated, root-level remote code execution vulnerability in one of the most sensitive components of enterprise network infrastructure. With active exploitation confirmed by CISA, no patch available until May 13, and over 5,800 potentially exposed instances visible on the internet, this demands emergency response — not scheduled maintenance. Restrict Authentication Portal access to internal networks now, prepare for emergency patching on May 13, and begin forensic review on any device that was internet-exposed.
For any query contact us at contact@cipherssecurity.com
