Palo Alto PAN-OS CVE-2026-0300 Zero-Day Enables Root-Level RCE on Exposed Firewalls

By Ash K
Palo Alto PAN-OS CVE-2026-0300 Zero-Day Enables Root-Level RCE on Exposed Firewalls

A firewall bug that hands out root-level code execution is never just a patching problem. It is an exposure problem, an inventory problem, and, for teams with public-facing management or identity-adjacent services, a race against scanning.

Palo Alto Networks has disclosed CVE-2026-0300, a critical buffer overflow in PAN-OS affecting the User-ID Authentication Portal, also known as the Captive Portal. The flaw carries a CVSS 4.0 score of 9.3 when the portal is reachable from the internet or other untrusted networks, and Palo Alto Networks has confirmed limited in-the-wild exploitation.

What Happened

CVE-2026-0300 is an unauthenticated buffer overflow in the User-ID Authentication Portal service of Palo Alto Networks PAN-OS. By sending specially crafted packets, an attacker can execute arbitrary code with root privileges on affected PA-Series and VM-Series firewalls.

The vulnerability is exploitable over the network, requires no authentication, no user interaction, and no special attack requirements. Palo Alto Networks also marks exploitation as automatable and lists the exploit maturity as “ATTACKED,” meaning real-world targeting has already been observed.

The issue was published on May 5, 2026, and as of May 6, 2026, fixes are scheduled but not yet generally available across all affected release branches. Palo Alto Networks expects patched versions to arrive in staged releases on May 13 and May 28, 2026.

Affected Products and Versions

The flaw applies only to PA-Series and VM-Series firewalls that are configured to use the User-ID Authentication Portal. Prisma Access, Cloud NGFW, and Panorama appliances are not impacted.

  • PAN-OS 12.1: affected versions include releases before 12.1.4-h5 and before 12.1.7.
  • PAN-OS 11.2: affected versions include releases before 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12.
  • PAN-OS 11.1: affected versions include releases before 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15.
  • PAN-OS 10.2: affected versions include releases before 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6.

The important operational detail is narrower than the version list: a firewall is exposed only if the User-ID Authentication Portal is enabled. Administrators can verify this under Device > User Identification > Authentication Portal Settings > Enable Authentication Portal.

Why This Stands Out

This is not a routine edge-device denial-of-service issue. The vulnerable component sits on the firewall, the attack is unauthenticated, and successful exploitation gives root-level execution. That combination puts affected devices in the same risk category defenders reserve for perimeter zero-days with post-exploitation value: initial access, traffic visibility, policy manipulation, persistence, and potential pivoting into internal networks.

The severity is highest when the Authentication Portal is reachable from the public internet or another untrusted network. Palo Alto Networks rates the issue at CVSS 9.3 in that scenario. If access is restricted to trusted internal IP addresses, the score drops to 8.7, which is still serious but materially reduces attacker reach.

The limited exploitation matters because it changes the response model. This is no longer a “patch when available” advisory. It is a “reduce exposure now, then patch as soon as your branch has a fixed build” advisory.

Immediate Mitigation

Until fixed PAN-OS builds are available for all affected branches, the practical mitigation is access control.

  • Disable the User-ID Authentication Portal if the service is not required.
  • Restrict portal access to trusted zones and trusted internal IP addresses if the portal must remain enabled.
  • Prioritize internet-exposed portals first, especially where the service is reachable from untrusted networks.
  • Track the staged patch schedule for the relevant PAN-OS branch, with fixes expected across May 13 and May 28, 2026.

NHS England’s National CSOC has also assessed further exploitation as highly likely, which aligns with the normal pattern for high-impact firewall vulnerabilities: once public exposure is understood, scanning usually follows quickly.

Why Defenders Should Care

Firewalls are high-value targets because they sit at the boundary between trust zones. A compromise at that layer can give attackers visibility into traffic flows, access to sensitive configuration, and a foothold that may not look like a conventional endpoint intrusion.

The User-ID Authentication Portal is designed to help map users to traffic when the firewall cannot automatically associate an IP address with an identity. That makes it operationally useful, but also dangerous when exposed too broadly. The issue is not simply that a vulnerable service exists. The issue is that identity-adjacent perimeter services often remain reachable long after their exposure stops being necessary.

For security teams, the first question should not be “Are we running PAN-OS?” It should be “Where is User-ID Authentication Portal enabled, and who can reach it?”

Bigger Picture

CVE-2026-0300 lands in a familiar pattern: attackers continue to prioritize perimeter appliances because they compress the attack path. There is no phishing chain to build, no endpoint control to bypass, and no user behavior to predict. A reachable vulnerable service is enough.

The defensive lesson is equally familiar but still often missed. Internet exposure should be treated as a live control, not a one-time architecture decision. If a portal, gateway, or administrative surface does not need to be reachable from untrusted networks, it should not be reachable at all.

NeuraCyb's Assessment

CVE-2026-0300 is a sharp reminder that “limited exploitation” is not a comfort phrase when the vulnerable asset is a firewall and the outcome is root-level code execution. The patch window matters, but exposure matters more right now. Teams that can remove or restrict Authentication Portal access before the broader scanning wave arrives will have already done the most important part of the response.

References

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.