Palo Alto Networks has issued an urgent advisory for a critical PAN-OS vulnerability that is already being actively exploited in limited campaigns. Tracked as CVE-2026-0300, this flaw enables unauthenticated remote code execution (RCE) with root privileges on affected firewall appliances.
This is one of the highest-risk scenarios in enterprise security: a vulnerability that grants full control of a perimeter firewall, requires no credentials, and can be triggered over the network with no user interaction. If a firewall is compromised at the perimeter, attackers can potentially intercept traffic, pivot internally, harvest credentials, and establish persistent control over the environment.
If your organization runs Palo Alto PA-Series or VM-Series firewalls, this should be treated as an emergency remediation priority.
What Is CVE-2026-0300?
CVE-2026-0300 is a buffer overflow vulnerability located in the User-ID Authentication Portal, commonly referred to as the Captive Portal service.
The flaw is classified as an out-of-bounds write (CWE-787). In practical terms, an attacker can send specially crafted packets to the vulnerable portal service, trigger memory corruption, and execute arbitrary code as root.
This vulnerability is particularly dangerous because it has a “worst-case” exploitation profile:
- Network-based attack vector
- No authentication required
- No privileges required
- No user interaction
- Highly automatable
That combination makes it ideal for fast weaponization and widespread scanning of exposed systems.
Why This Is a High-Severity Enterprise Threat
Firewalls are not just another IT asset. They are high-value network control points that sit at the boundary between trusted and untrusted zones.
A successful compromise can lead to:
- Traffic interception and manipulation
- Credential harvesting and session hijacking
- Lateral movement into internal networks
- Disruption of perimeter protections and logging
- Long-term persistence through configuration manipulation
Even “limited” exploitation should not be interpreted as low risk. Limited exploitation often means targeted activity today that can scale quickly tomorrow—especially when the exploit is low complexity and automatable.
When Are You Actually Exposed?
This vulnerability applies to PA-Series and VM-Series firewalls running vulnerable PAN-OS versions only if the User-ID Authentication Portal (Captive Portal) is enabled and reachable from untrusted networks.
You are at highest risk if:
- Captive Portal is exposed to the internet, OR
- Captive Portal is reachable from untrusted network zones, OR
- Access controls are not restricted to trusted internal IP ranges
Important note: Cloud and management platforms are not affected.
- Prisma Access is not affected
- Cloud NGFW is not affected
- Panorama is not affected
Affected PAN-OS Versions (Confirmed Branches)
Vulnerable PAN-OS branches span multiple generations, including:
- PAN-OS 10.2
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 12.1
If you are running any of these branches, you must review your exact version and patch level to determine exposure and required remediation action.
Patch Availability and Timeline
Official fixes are being rolled out in a staggered schedule between:
- May 13, 2026
- May 28, 2026
The exact patch availability depends on your PAN-OS branch and maintenance train.
Because patch releases are staggered, organizations should apply interim mitigations immediately and not wait for the final firmware release.
Immediate Mitigations (Do This Now)
Until you can apply the official fixed release, the following mitigations should be treated as urgent:
1) Restrict Captive Portal Access to Trusted Networks
The most effective immediate workaround is to ensure the User-ID Authentication Portal is only reachable from trusted internal IP ranges and not from:
- The public internet
- Untrusted zones
- Broad internal segments where it is not needed
This mitigation dramatically reduces exposure by preventing attackers from reaching the vulnerable service.
2) Disable Captive Portal if Not Required
If your environment does not strictly depend on the Authentication Portal for business operations, the safest immediate option is to disable the service entirely until patches are installed.
Disabling eliminates the vulnerable attack surface rather than attempting to reduce it.
3) Deploy Threat Prevention Signature (PAN-OS 11.1+)
For environments running PAN-OS 11.1 or later and using Threat Prevention, Palo Alto has released a signature designed to detect and block exploit attempts.
This provides an additional defensive layer while waiting for official firmware fixes. However:
- Signatures are not a substitute for patching
- Use detection as risk reduction, not as “the fix”
How to Check if Captive Portal Is Enabled and Exposed
Administrators should audit configuration immediately:
- Check whether Captive Portal is enabled
- Identify which interfaces/zones can reach it
- Confirm whether access is restricted to trusted IP ranges
- Validate that no security policy accidentally exposes the portal publicly
If Captive Portal is accessible from the internet or untrusted zones, treat it as an emergency.
SOC Monitoring and Threat Hunting Guidance
Because the vulnerability is exploited over the network, SOC teams should prioritize visibility into both access and post-exploitation behavior.
High-priority monitoring areas
- Unexpected inbound traffic targeting Captive Portal
- Sudden spikes in scanning-like traffic patterns
- Requests originating from untrusted sources that should never touch portal services
Post-exploitation indicators to watch
If a firewall is compromised, attackers may:
- Change configurations
- Create new admin sessions
- Disable logging or reduce visibility
- Establish outbound connections for command and control
- Modify security policies to enable persistence or lateral movement
Operational best practice
If exploitation is suspected:
- Treat the firewall as potentially untrusted
- Preserve logs and configuration snapshots
- Restrict management plane access immediately
- Coordinate incident response with network engineering and security operations
Common Mistakes to Avoid
- Assuming Captive Portal is disabled without verifying configuration
- Waiting for patches without applying interim restrictions
- Treating “limited exploitation” as low urgency
- Relying on detection signatures instead of patching
- Leaving portal services reachable from untrusted zones for convenience
FAQs
What is CVE-2026-0300?
A critical PAN-OS Captive Portal buffer overflow that allows unauthenticated attackers to execute code with root privileges on affected firewalls.
Is this being exploited right now?
Yes, exploitation has been reported in limited active campaigns, especially where Captive Portal is exposed to untrusted networks.
Which Palo Alto products are affected?
PA-Series and VM-Series firewalls running vulnerable PAN-OS versions with Captive Portal enabled.
Are Prisma Access, Cloud NGFW, or Panorama affected?
No, those platforms are not affected.
What’s the fastest mitigation?
Restrict Captive Portal access to trusted internal IPs only, or disable Captive Portal if not required.
When will patches be available?
Patches are scheduled in a phased rollout between May 13 and May 28, 2026 depending on PAN-OS branch.
Conclusion
CVE-2026-0300 is a critical, actively exploited vulnerability that can provide attackers with root-level control of perimeter firewalls. Because firewalls are high-value targets and exploitation requires no authentication, this should be handled as a top-tier incident response priority.
Immediate action checklist:
- Inventory PA-Series and VM-Series assets
- Confirm whether Captive Portal is enabled
- Restrict Captive Portal to trusted internal IPs or disable it
- Deploy Threat Prevention signatures if available (PAN-OS 11.1+)
- Patch as soon as the fixed release for your branch becomes available
- Monitor for suspicious traffic and post-exploitation behavior
