A critical vulnerability (CVE-2026-0300) affecting Palo Alto Networks firewalls is being actively exploited by attackers, the security company acknowledged today, and urged customers to implement mitigations as they are still working on fixes.
About CVE-2026-0300
CVE-2026-0300 is a buffer overflow vulnerability in the User-ID Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software. The portal enables user identification for unknown traffic, i.e., situations where the firewall cannot automatically map an IP address to a specific user identity.
The vulnerability can be exploited by unauthenticated attackers to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls, and can be triggered by sending specially crafted packets.
Palo Alto Networks says that exploitation is automatable, though it did not speculate on whether the current in-the-wild attacks are automated.
They merely stated that “limited exploitation has been observed targeting Palo Alto Networks User-ID Authentication Portals that are exposed to untrusted IP addresses and/or the public internet.”
What to do?
Palo Alto Networks firewalls are regularly targeted by attackers, via known and zero-day vulnerabilities.
CVE-2026-0300 affects PA-Series and VM-Series firewalls that are configured to use the User-ID Authentication Portal and run PAN-OS software:
- Before versions 12.1.4-h5, 11.2.7-h13, 11.2.10-h6, 11.1.4-h33, 11.1.6-h32, 11.1.10-h25, 11.1.13-h5, 10.2.10-h36, and 10.2.18-h6 (to be released around May 13)
- Before versions 12.1.7, 11.2.4-h17, 11.2.12, 11.1.7-h6, 11.1.15, 10.2.7-h34, 10.2.13-h21, and 10.2.16-h7 (to be released around May 28)
“Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability,” Palo Alto confirmed.
Until the security updates are released, customers can mitigated the risk of exploitation by:
- Limiting access to the vulnerable portal – allow only access from trusted zones
- Disabling the portal if not required (Device > User Identification > Authentication Portal Settings -> Disable Authentication Portal)
“Customers following standard security best practices, such as restricting sensitive portals to trusted internal networks are at a greatly reduced risk,” the company added.
Once security updates are released, they should be applied as soon as possible, though access to the captive portal should continue to be restricted only to trusted internal IP addresses.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
