The front line of enterprise defense is under fire. A critical zero-day vulnerability in Palo Alto Networks PAN-OS is currently being exploited, allowing unauthenticated attackers to seize full control of firewalls with root privileges.
Tracked as CVE-2026-0300, this flaw targets the User-ID Authentication Portal (Captive Portal). Because these devices sit at the edge of the network, a successful breach doesn’t just compromise a single server—it opens the door to the entire internal corporate environment.
The Vulnerability: Unauthenticated Root RCE
The flaw is a classic but deadly buffer overflow (CWE-787) within the authentication portal component.
- The Attack: An attacker sends a sequence of specially crafted packets to the portal.
- The Payload: No username or password is required. The exploit triggers the overflow, allowing the attacker to execute arbitrary code.
- The Stakes: The code runs with root privileges, the highest level of access possible, allowing the intruder to disable security logs, steal credentials, or pivot deeper into the network.
CVSS Score: 9.3 (Critical)
Are You Exposed? Check Your Configuration
Not every PAN-OS device is vulnerable. For an attacker to hit your firewall, two conditions must be met:
- User-ID Authentication Portal is enabled (in either transparent or redirect mode).
- Response Pages are enabled on a management interface profile that is attached to an internet-facing or untrusted zone.
Palo Alto has confirmed that Prisma Access, Cloud NGFW, and Panorama appliances are not affected by this specific flaw.
Affected Versions & Patch Schedule
Palo Alto Networks has begun rolling out emergency patches. If you are running any of the following versions, you must upgrade to the specified builds (or later) immediately:
| PAN-OS Version | Required Patch Build |
| 12.1 | 12.1.4-h5 or 12.1.7+ |
| 11.2 | 11.2.4-h17 or 11.2.12+ |
| 11.1 | 11.1.4-h33 or 11.1.15+ |
| 10.2 | 10.2.7-h34 or 10.2.18-h6+ |
Immediate Mitigations (If You Can’t Patch Yet)
If an immediate reboot for patching isn’t possible, take these defensive steps now:
- Restrict Access: Use security rules to ensure the User-ID Authentication Portal is only accessible from trusted internal IP addresses.
- Disable Response Pages: Turn off “Response Pages” on any interface facing the public internet.
- Update Threat IDs: Enable Threat ID 510019 (Applications and Threats version 9097-10022 or higher) to detect and block known exploit patterns.
Conclusion: The Zero-Day Race
With active exploitation already observed in the wild, the window for defense is closing. Attackers are currently scanning the internet for exposed portals to gain an initial foothold. Organizations must treat their firewall’s management and authentication services as high-priority attack surfaces—patch now or restrict access before the perimeter is breached.
