A critical PAN-OS Buffer Overflow vulnerability is placing enterprise firewalls at serious risk after Palo Alto Networks confirmed active exploitation attempts in the wild. The flaw, tracked as CVE-2026-0300, affects the User-ID Authentication Portal service in PAN-OS and could allow remote attackers to execute code with root privileges.
The vulnerability carries a CVSS score of 9.3 and impacts both PA-Series and VM-Series firewalls configured with the User-ID Authentication Portal, also known as Captive Portal.
Security teams are being urged to patch affected systems immediately. Meanwhile, organizations exposing authentication portals to the internet face the highest level of risk.
Critical Vulnerability Enables Remote Root Access
The issue stems from a buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal service. Attackers can exploit the flaw by sending specially crafted network packets to vulnerable systems.
Because the attack requires no authentication, threat actors can potentially compromise exposed devices remotely. Successful exploitation could lead to arbitrary code execution with root-level access on targeted firewalls.
Researchers also confirmed that exploitation activity has already been observed against internet-facing systems.
Notably, Prisma Access, Cloud NGFW, and Panorama appliances are not affected by the vulnerability.
Which Systems Are Vulnerable?
The flaw affects multiple PAN-OS release branches, including:
- PAN-OS 12.1 before 12.1.4-h5 and 12.1.7
- PAN-OS 11.2 before 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12
- PAN-OS 11.1 before 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15
- PAN-OS 10.2 before 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6
However, devices are only exposed if two conditions are met:
- The User-ID Authentication Portal is enabled.
- Response Pages are enabled on interfaces reachable from untrusted or internet-facing networks.
As a result, organizations using the portal internally with restricted access face significantly lower exposure.
Active Exploitation Raises Urgency
Palo Alto Networks classified the vulnerability with the highest urgency rating. Additionally, the advisory confirmed that attackers are actively targeting exposed authentication portals.
The company stated that exploitation mainly affects deployments accessible from public or untrusted IP addresses. Therefore, internet-facing firewall management configurations should be reviewed immediately.
The vulnerability is categorized as an out-of-bounds write weakness, commonly associated with memory corruption attacks and remote code execution.
Recommended Mitigations
Administrators unable to patch immediately should apply temporary mitigation measures to reduce exposure.
Security teams are advised to:
- Restrict Authentication Portal access to trusted internal networks
- Disable Response Pages on internet-facing interfaces
- Disable the User-ID Authentication Portal if not required
- Deploy Threat Prevention signatures, including Threat ID 510019
- Review externally exposed firewall services
Additionally, organizations using PAN-OS 11.1 or later can enable updated Threat Prevention protections to help detect exploitation attempts.
Industry Impact and Security Concerns
The PAN-OS Buffer Overflow issue highlights the growing targeting of edge security appliances by attackers. Firewalls remain highly attractive targets because they often sit between internal infrastructure and the public internet.
Moreover, vulnerabilities affecting authentication services can provide attackers with privileged access to critical enterprise environments.
Security experts recommend prioritizing firewall patching cycles and reducing unnecessary exposure of administrative or authentication interfaces online.
Finally, organizations running vulnerable PAN-OS versions should schedule emergency updates as soon as operationally possible.
No Comment! Be the first one.