Exploited in the Wild: Critical PAN-OS Buffer Overflow Grants Root Access to Palo Alto Firewalls
Ddos 
Palo Alto Networks has issued an urgent security advisory for a critical vulnerability in its PAN-OS software that is currently being exploited in the wild. The flaw, tracked as CVE-2026-0300, is a buffer overflow vulnerability residing in the User-ID Authentication Portal (also known as the Captive Portal) service.
With a CVSS score of 9.3 and a suggested urgency of HIGHEST, this vulnerability represents a Tier-1 threat to organizations utilizing PA-Series and VM-Series firewalls.
The security flaw allows an unauthenticated, remote attacker to gain complete control over a target firewall. By sending “specially crafted packets” to the Authentication Portal, an actor can trigger a buffer overflow.
According to the advisory, “A buffer overflow vulnerability in the User-ID Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls.”
The impact is severe: “root privileges” grant the attacker total administrative dominance over the device, allowing them to intercept traffic, pivot into internal networks, or disable security controls entirely.
Palo Alto Networks confirmed that this is an active threat. The company stated that “limited exploitation has been observed targeting Palo Alto Networks User-ID Authentication Portals that are exposed to untrusted IP addresses and/or the public internet”.
The risk is significantly amplified for organizations that have enabled the portal for access from the internet. While Prisma Access, Cloud NGFW, and Panorama appliances remain unaffected, the vast install base of PA-Series and VM-Series hardware and virtual firewalls is at high risk.
Palo Alto Networks has outlined a series of upcoming hotfixes and maintenance releases to address the flaw. Organizations should pay close attention to the following estimated times of arrival (ETA) for patches:
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS 12.1 | < 12.1.4-h5 < 12.1.7 |
>= 12.1.4-h5 (ETA: 05/13) >= 12.1.7 (ETA: 05/28) |
| PAN-OS 11.2 | < 11.2.4-h17 < 11.2.7-h13 < 11.2.10-h6 < 11.2.12 |
>= 11.2.4-h17 (ETA: 05/28) >= 11.2.7-h13 (ETA: 05/13) >= 11.2.10-h6 (ETA: 05/13) >= 11.2.12 (ETA: 05/28) |
| PAN-OS 11.1 | < 11.1.4-h33 < 11.1.6-h32 < 11.1.7-h6 < 11.1.10-h25 < 11.1.13-h5 < 11.1.15 |
>= 11.1.4-h33 (ETA: 05/13) >= 11.1.6-h32 (ETA: 05/13) >= 11.1.7-h6 (ETA: 05/28) >= 11.1.10-h25 (ETA: 05/13) >= 11.1.13-h5 (ETA: 05/13) >= 11.1.15 (ETA: 05/28) |
| PAN-OS 10.2 | < 10.2.7-h34 < 10.2.10-h36 < 10.2.13-h21 < 10.2.16-h7 < 10.2.18-h6 |
>= 10.2.7-h34 (ETA: 05/28) >= 10.2.10-h36 (ETA: 05/13) >= 10.2.13-h21 (ETA: 05/28) >= 10.2.16-h7 (ETA: 05/28) >= 10.2.18-h6 (ETA: 05/13) |
Because many patches are still days or weeks away, Palo Alto Networks is urging administrators to take immediate manual mitigation steps.
- Verify Exposure: Check if the portal is enabled under Device > User Identification > Authentication Portal Settings.
- Restrict Access: “You can greatly reduce the risk of exploitation by restricting User-ID Authentication Portal access to only trusted internal IP addresses and preventing its exposure to the internet”.
- Disable if Unnecessary: If the Captive Portal is not a requirement for your workflow, disable it entirely until a patch can be applied.
- Enable Threat Prevention: For customers running PAN-OS 11.1 and above, a dedicated Threat Prevention Signature was made available as of May 5, 2026, to detect and block exploit attempts.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
