The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added a critical Palo Alto Networks PAN-OS vulnerability, tracked as CVE-2026-0300, to its Known Exploited Vulnerabilities (KEV) catalog, issuing a tight three-day remediation deadline to federal agencies, a signal of the flaw’s active exploitation and urgent risk to enterprise network infrastructure.
CVE-2026-0300 is an out-of-bounds write vulnerability (CWE-787) residing in the User-ID Authentication Portal of Palo Alto Networks’ PAN-OS software.
The flaw allows unauthenticated remote attackers to send specially crafted network packets that trigger a buffer overflow in the vulnerable service, ultimately yielding full root-level code execution on targeted firewall hardware requiring no credentials, no user interaction, and no special environmental conditions.
Palo Alto Networks classifies the exploit maturity as ATTACKED, with the attack vector rated as network-based, fully automatable, and carrying zero attack complexity.
The vulnerability earns a CVSS 4.0 score of 9.3 (CRITICAL) when the Authentication Portal is exposed to the internet or untrusted networks. Even in restricted adjacent-network deployments, the score remains an elevated 8.7, confirming severe risk across all deployment postures.
Successful exploitation enables threat actors to gain complete control over a firewall’s confidentiality, integrity, and availability, effectively compromising a critical network chokepoint.
Affected PAN-OS Versions
The vulnerability impacts PA-Series and VM-Series firewalls running the following PAN-OS branches:
- PAN-OS 10.2 – versions below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6
- PAN-OS 11.1 – versions below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15
- PAN-OS 11.2 – versions below 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12
- PAN-OS 12.1 – versions below 12.1.4-h5 and 12.1.7
Prisma Access, Cloud NGFW, and Panorama appliances are confirmed unaffected. The vulnerability is exclusively triggered when the User-ID Authentication Portal is explicitly enabled and accessible from untrusted or internet-facing interfaces.
CISA added CVE-2026-0300 to the KEV catalog on May 6, 2026, with a remediation due date of May 9, 2026, a notably compressed three-day window underscoring the severity of active threats in the wild.
Palo Alto Networks confirmed that limited exploitation has already been observed targeting Authentication Portals exposed to untrusted IP addresses and the public internet.
Official patches are being released in two phases: the first targeting May 13, 2026, with remaining fixes arriving by May 28, 2026, depending on the PAN-OS branch.
Mitigation
As no official patch is yet available, CISA and Palo Alto Networks recommend organizations take the following immediate steps:
- Restrict User-ID Authentication Portal access to trusted network zones only, blocking external or untrusted traffic from reaching the service
- Disable the User-ID Authentication Portal entirely if Captive Portal functionality is not actively required
- Audit current configurations by navigating to Device > User Identification > Authentication Portal Settings to assess exposure
- Treat any internet-accessible portal as an emergency remediation priority
If mitigations cannot be implemented, CISA advises organizations to discontinue use of the affected product until an official fix is available. Security teams should treat any internet-facing PAN-OS Authentication Portal as actively compromised until fully mitigated.
No Comment! Be the first one.