Palo Alto Networks has disclosed a critical vulnerability in PAN-OS software, tracked as CVE-2026-0300, that is already being actively exploited in the wild.
Carrying a CVSS 4.0 score of 9.3 (CRITICAL), the flaw enables unauthenticated remote attackers to execute arbitrary code with full root privileges on affected PA-Series and VM-Series firewalls requiring no credentials, no user interaction, and no special conditions.
The vulnerability resides in the User-ID™ Authentication Portal service within PAN-OS. An unauthenticated attacker can deliver specially crafted network packets to trigger an out-of-bounds write condition (CWE-787), resulting in a buffer overflow that yields root-level code execution on the targeted firewall.
With a NETWORK attack vector, zero attack complexity, and no privileges required, the flaw is fully automatable making it a prime candidate for large-scale, opportunistic exploitation campaigns.
Palo Alto Networks has confirmed limited exploitation is already occurring, specifically targeting Authentication Portals exposed to untrusted IP addresses and the public internet. The exploit maturity is officially classified as ATTACKED.
Affected Products and Versions
The vulnerability impacts PA-Series and VM-Series firewalls across several PAN-OS branches. Administrators running any of the following unpatched versions are at risk:
- PAN-OS 10.2 — versions below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6
- PAN-OS 11.1 — versions below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15
- PAN-OS 11.2 — versions below 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12
- PAN-OS 12.1 — versions below 12.1.4-h5 and 12.1.7
Prisma Access, Cloud NGFW, and Panorama appliances are not affected. The vulnerability is only exploitable on firewalls where the User-ID™ Authentication Portal is explicitly enabled and reachable from untrusted networks.
When the portal is internet-exposed, the CVSS score reaches its peak severity of 9.3; even in adjacent-network scenarios, it remains a severe 8.7.
Successful exploitation delivers high confidentiality, integrity, and availability impacts at the product level effectively handing threat actors complete control over the compromised firewall.
The risk profile is especially alarming given that enterprise perimeter firewalls serve as critical network chokepoints.
A compromised firewall can facilitate lateral movement, traffic interception, credential harvesting, and a full network takeover, making this vulnerability an exceptionally high-value target for ransomware operators and nation-state threat actors alike.
Patches and Mitigations
Palo Alto Networks has confirmed that patches are rolling out between May 13 and May 28, 2026, depending on the PAN-OS branch.
Until patches are applied, administrators should take immediate action by restricting Authentication Portal access to trusted internal IP addresses only, following Palo Alto’s published best practice guidelines, or disabling the User-ID™ Authentication Portal entirely if it is not operationally required.
A Threat Prevention Signature for PAN-OS 11.1 and above became available on May 5, 2026, offering an additional detection and blocking layer for organizations with an active Threat Prevention license.
Security teams should audit configurations immediately by navigating to Device > User Identification > Authentication Portal Settings.
Any portal accessible from the internet or untrusted zones must be treated as an emergency remediation priority, given confirmed in-the-wild exploitation of CVE-2026-0300.
No Comment! Be the first one.