MDR
Solutions
Partners
About
Resources
Affected Environment
PA‑Series and VM‑Series firewalls running affected PAN‑OS versions with the User‑ID Authentication (Captive) Portal enabled and network‑reachable. Cloud NGFW and Prisma Access are not affected. Systems with the portal disabled or restricted to trusted internal zones have significantly reduced exposure.
Threat Overview
CVE‑2026‑0300 is a critical PAN‑OS flaw allowing unauthenticated remote code execution as root via the User‑ID Authentication Portal service. The vulnerability is confirmed as actively exploited in the wild, with attacks focusing on portals exposed to untrusted networks or the public internet.
Exposure Timeline
The report is dated 6 May 2026; exploitation in real‑world attacks is already observed at the time of reporting. Vendor patches are scheduled from 13 May 2026 and 28 May 2026, depending on PAN‑OS version, leaving a near‑term exposure window.
Attack Surface
The primary attack surface is the User‑ID Authentication Portal reachable from untrusted networks, especially directly exposed internet‑facing portals. Instances where network controls permit inbound access to the portal from external or unknown IP addresses present the highest exposure.
Technical Root Cause
A buffer overflow (CWE‑787) in the portal’s request processing logic allows memory corruption when handling specifically crafted network requests. This condition enables arbitrary code execution with root privileges on affected firewalls without requiring user interaction or prior authentication.
Exploitation Pathway
An external attacker sends crafted network requests to the exposed authentication portal, triggering the buffer overflow and memory corruption. Because no authentication or user interaction is needed and complexity is low, exploitation can be automated and scaled across exposed devices.
Operational Impact
Successful compromise provides attackers with root‑level control of the firewall, enabling full manipulation of security policies and traffic. This could undermine monitoring, bypass controls, and facilitate further lateral movement or data exfiltration through trusted network paths.
Strategic Impact
Firewall compromise at this layer erodes trust in perimeter and segmentation controls that many business and government networks rely on. If unaddressed, it increases long‑term risk of covert access and control over critical systems routed through affected infrastructure.
Required Mitigation
Plan and schedule deployment of vendor PAN‑OS fixes as they become available for your specific versions starting 13 May 2026. Immediately restrict portal access to trusted internal IP ranges or disable the User‑ID Authentication Portal entirely if not business‑critical.
Incident Response Guidance
Review configuration to identify any User‑ID portals exposed to the internet or untrusted zones and remediate high‑risk instances first. Update Threat Prevention signatures, and monitor firewall logs and traffic for anomalous portal requests or unexpected connections.
References
Refer to Palo Alto Networks’ CVE‑2026‑0300 advisory for full version‑specific patch details and authoritative guidance. Consult Palo Alto documentation on Captive Portal configuration and the published knowledge base article for additional mitigation context.
Trusted by clients worldwide
Led by human expertise and powered by the VisionX platform, we provide you with a 24/7 unbeatable Managed Detection & Response capability giving you transparent and consolidated security solutions.
.jpg)