Bright Nexus

Published on May 6, 2026

Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution

Severity

Critical

Detail

A critical vulnerability has been identified in Palo Alto Networks PAN-OS software impacting PA-Series and VM-Series firewalls. The flaw tracked as CVE-2026-0300, is a buffer overflow vulnerability affecting the User-ID Authentication Portal (also known as the Captive Portal). This vulnerability allows an unauthenticated attacker to execute arbitrary code with root privileges by sending specially crafted network packets. Because it requires no authentication, the issue significantly increases the risk of exploitation, especially for systems exposed to untrusted networks or the public internet.

Palo Alto Networks has confirmed that the vulnerability is already under limited active exploitation, primarily targeting systems where the portal is publicly accessible. Successful exploitation could result in full firewall compromise, unauthorized access to network traffic, lateral movement within the network, and deployment of malicious payloads. At the time of disclosure, no patch is yet available, increasing the urgency for organizations to apply mitigation measures. Security updates are expected to be released starting May 13, 2026.

CVE IDSummaryCVSS Score
CVE-2026-0300Buffer overflow in PAN-OS User-ID Authentication Portal allows unauthenticated remote code execution with root privileges.9.3 (Critical)

Affected Products

The vulnerability impacts multiple PAN-OS versions across PA-Series and VM-Series firewalls. Affected branches include:

  • PAN-OS 10.2 — versions below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6
  • PAN-OS 11.1 — versions below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15
  • PAN-OS 11.2 — versions below 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12
  • PAN-OS 12.1 — versions below 12.1.4-h5 and 12.1.7

Recommendation

Organizations and administrators are strongly advised to take the following actions immediately:

  • Restrict User-ID Authentication Portal access to trusted internal networks only
  • Disable the User-ID Authentication Portal if it is not required
  • Monitor firewall and system logs for unusual activity or suspicious access attempts
  • Apply vendor patches as soon as they are released (expected May 13, 2026)
  • Implement layered security controls such as network segmentation, intrusion detection/prevention systems, and strict access policies

Failure to implement these mitigations may lead to full system compromise, unauthorized access, and potential data breaches.

Source
https://thehackernews.com/2026/05/palo-alto-pan-os-flaw-under-active.html

https://cybersecuritynews.com/palo-alto-firewalls-vulnerability-exploited/

https://security.paloaltonetworks.com/CVE-2026-0300