Threat Advisories

CVE-2026-0300: Critical PAN-OS Zero-Day Hands Attackers Root on Exposed Firewalls

5 min read
CVE-2026-0300: Critical PAN-OS Zero-Day Hands Attackers Root on Exposed Firewalls

A critical buffer overflow in the PAN-OS User-ID Authentication Portal (CVE-2026-0300, CVSS 9.3) lets unauthenticated attackers execute code with root privileges on PA-Series and VM-Series firewalls. Palo Alto Networks has confirmed limited exploitation in the wild, and CISA added the flaw to its Known Exploited Vulnerabilities catalog on May 6, 2026 with a remediation deadline of May 9. If you run an affected PAN-OS version with the User-ID Authentication Portal enabled, restrict portal access to trusted zones immediately and plan to apply the patches Palo Alto begins shipping on May 13.

What is CVE-2026-0300?

CVE-2026-0300 is an out-of-bounds write vulnerability (CWE-787) in the User-ID Authentication Portal service of PAN-OS, the operating system that powers Palo Alto Networks firewalls. The User-ID Authentication Portal is also known as the Captive Portal, and it's the component that prompts users to authenticate before mapping their identity to an IP address for policy enforcement.

An unauthenticated attacker can send specially crafted packets to a reachable User-ID Authentication Portal and trigger the buffer overflow, ultimately executing arbitrary code with root privileges on the firewall itself. Palo Alto Networks notes that the vulnerability was discovered in production use.

What products and versions are affected?

The vulnerability affects PA-Series and VM-Series firewalls running PAN-OS where the User-ID Authentication Portal is enabled. Prisma Access, Cloud NGFW, and Panorama appliances are not impacted.

Affected version branches per the Palo Alto Networks security advisory:

  • PAN-OS 12.1: versions before 12.1.4-h5 and before 12.1.7
  • PAN-OS 11.2: versions before 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12
  • PAN-OS 11.1: versions before 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15
  • PAN-OS 10.2: versions before 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6

You're only exposed if the User-ID Authentication Portal is configured. You can verify this in the PAN-OS web interface under Device > User Identification > Authentication Portal Settings.

How severe is it?

CVSS v4.0 base score is 9.3 (Critical) when the User-ID Authentication Portal is reachable from the internet or any untrusted network. The score drops to 8.7 (High) when access is restricted to trusted internal IP addresses.

The exploitation profile is straightforward and serious for an edge device:

  • Attack vector: Network
  • Attack complexity: Low
  • Privileges required: None
  • User interaction: None
  • Impact: Full compromise (root code execution) of the firewall

CISA added CVE-2026-0300 to the KEV catalog on May 6, 2026, with a Federal Civilian Executive Branch remediation deadline of May 9, 2026. That three-day window is unusually short and reflects the active exploitation. Palo Alto Networks has confirmed limited exploitation targeting User-ID Authentication Portals exposed to untrusted IP addresses or the public internet.

Are patches available?

The first fixes ship May 13, 2026, with the remainder following May 28, 2026. Patched versions per branch:

  • PAN-OS 12.1: 12.1.4-h5 (May 13), 12.1.7 (May 28)
  • PAN-OS 11.2: 11.2.7-h13 and 11.2.10-h6 (May 13); 11.2.4-h17 and 11.2.12 (May 28)
  • PAN-OS 11.1: 11.1.4-h33, 11.1.6-h32, 11.1.10-h25, and 11.1.13-h5 (May 13); 11.1.7-h6 and 11.1.15 (May 28)
  • PAN-OS 10.2: 10.2.10-h36 and 10.2.18-h6 (May 13); 10.2.7-h34, 10.2.13-h21, and 10.2.16-h7 (May 28)

Because no fix is available before May 13, mitigations are the priority right now. Palo Alto Networks has also released a Threat Prevention signature for customers running PAN-OS 11.1 and above.

What should you do right now?

  1. Identify exposure. Confirm whether you have any PA-Series or VM-Series firewalls running the affected PAN-OS versions with the User-ID Authentication Portal enabled (Device > User Identification > Authentication Portal Settings).
  2. Restrict access immediately. If the portal is enabled, restrict it to trusted internal zones only. Palo Alto Network's knowledge base article on securing the management interface walks through the configuration steps. Removing internet exposure drops the CVSS from 9.3 to 8.7 and effectively eliminates the in-the-wild exploitation pattern Palo Alto has observed.
  3. Disable the portal if you don't need it. Many customers have the User-ID Authentication Portal enabled as a leftover from earlier configurations. If you don't actively use Captive Portal authentication, turn it off.
  4. Apply the Threat Prevention signature. Customers on PAN-OS 11.1 and above should confirm the signature is deployed and active.
  5. Patch on day one. Schedule patching for the May 13 release window. Stage in a non-production HA pair if available, then roll forward.
  6. Hunt for prior compromise. Because exploitation predates the public advisory, organizations with internet-facing portals should review firewall logs for unusual traffic to the portal, unexpected outbound connections from the firewall itself, and any administrative changes that can't be tied back to a known operator.

How Halo Security can help

Halo Security is actively detecting CVE-2026-0300 during scans. If you're a customer with PAN-OS firewalls on your external attack surface, our Server Scanning coverage is already flagging exposure to this vulnerability, so the first thing to do is review your latest scan results.

If you're an existing Halo Security customer, our team is here to help walk you through your exposure. Schedule a security review and we'll review your scan results with you.

If you're not yet a Halo Security customer and want to see whether CVE-2026-0300 affects any asset on your perimeter, request a free demo and scan of your attack surface.

FAQ

Is CVE-2026-0300 being actively exploited?

Yes. Palo Alto Networks has confirmed limited exploitation in the wild against User-ID Authentication Portals exposed to untrusted IP addresses or the public internet. CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on May 6, 2026.

How quickly do I need to patch?

If your User-ID Authentication Portal is reachable from the internet, treat this as same-day urgency and apply the mitigations now rather than waiting for the May 13 patch. CISA's KEV remediation deadline for federal agencies is May 9, 2026, which is a strong signal of how urgent this is for everyone else as well.

How can I tell if I'm affected?

Check whether you're running an affected PAN-OS version on PA-Series or VM-Series hardware, then verify whether the User-ID Authentication Portal is enabled under Device > User Identification > Authentication Portal Settings. If the portal is enabled and exposed beyond trusted internal zones, you're at critical risk.

Halo Security scans can detect targets with this vulnerability.

Are Prisma Access, Cloud NGFW, or Panorama affected?

No. Palo Alto Networks has confirmed that Prisma Access, Cloud NGFW, and Panorama appliances are not impacted by CVE-2026-0300. The vulnerability is specific to PAN-OS on PA-Series and VM-Series firewalls.

Why is this CVE not yet fully detailed in NVD?

CVE-2026-0300 is currently undergoing enrichment at NVD, meaning the full reference data, CVSS vector, and CPE applicability statements are still being added. NVD enrichment lag has been a recurring issue throughout 2024 and 2025, and we cover the broader implications in our analysis of the NIST vulnerability shift. For active threats, the vendor advisory and CISA's KEV entry are often the authoritative sources.

Staying ahead of what's next

We'll keep this post updated as Palo Alto Networks releases additional patches and as exploitation activity evolves. For broader context on why KEV-listed vulnerabilities like this one deserve to jump the queue ahead of higher-CVSS findings on internal systems, our guide to Known Exploited Vulnerabilities walks through the full reasoning.