Palo Alto Networks disclosed CVE-2026-0300 this week — an unauthenticated buffer overflow in the User-ID Authentication Portal (the Captive Portal) on PAN-OS that lets a remote attacker execute arbitrary code as root on the firewall itself. CISA added the bug to its Known Exploited Vulnerabilities catalog on May 6, 2026, with a Federal Civilian Executive Branch mitigation deadline of May 9 — tomorrow. Limited in-the-wild exploitation has already been reported against portals exposed to the internet.

This is the kind of bug that turns the perimeter into the attacker’s foothold. A PAN-OS firewall doing User-ID authentication routes the auth portal HTTP service in front of the device’s own management plane, so root code execution there is root on the firewall: control-plane access, ability to modify rules, dump connected user identity mappings, MITM TLS where decryption is configured, and pivot freely into the trusted segments behind the box.

Technical details

The vulnerability is a stack/heap buffer overflow reachable pre-authentication on the Captive Portal service. Per Palo Alto’s advisory, an attacker sends specially crafted packets to the portal and overruns a buffer during request processing, allowing arbitrary code execution at root. No user interaction or valid credentials are required; the only precondition is reachability of the User-ID Authentication Portal.

CVSS scores split based on exposure:

  • 9.3 (Critical) when the portal is reachable from the internet or any untrusted network.
  • 8.7 (High) when access is restricted to trusted internal IPs.

Wiz and several other vendors have confirmed observed exploitation against internet-exposed portals. Threat Landscape and SOCRadar have published indicators consistent with reconnaissance and crash-loop probing prior to RCE attempts, suggesting at least one actor has a working exploit.

Affected products: PA-Series (hardware) and VM-Series (virtual) firewalls running affected PAN-OS versions and configured to use the User-ID Authentication Portal.

Not affected: Cloud NGFW, Prisma Access, and Panorama management appliances. Firewalls without the User-ID Authentication Portal feature enabled are also out of scope, but if you have a guest network, BYOD program, or any “log in to use the internet” page on a Palo Alto box, it’s almost certainly enabled.

Affected versions and fix timeline

Hotfixes are landing on a staggered rollout between May 13 and May 28, 2026. Notable fixed versions:

  • PAN-OS 12.1: 12.1.4-h5, 12.1.7
  • PAN-OS 11.2: 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, 11.2.12
  • PAN-OS 11.1: 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, 11.1.15
  • PAN-OS 10.2: 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, 10.2.18-h6

Anything older than the listed hotfix on each branch is vulnerable.

What to do right now

  1. Inventory exposure. Identify every PA-Series and VM-Series firewall in your fleet running an affected PAN-OS version. From the CLI: show system info | match sw-version. From Panorama: show devices all and pivot on software version.
  2. Determine portal exposure. Anything with authentication-profile bound to a captive-portal rule and reachable from an untrusted zone is the priority bucket. Even internal-only portals are exposed if your internal network is treated as reachable.
  3. Restrict access immediately. Until your branch’s hotfix is available, lock the portal to trusted source IPs only — security policies on the management plane, not data-plane filters that the portal itself fronts. Palo Alto’s official mitigation is the same: limit access until patches arrive.
  4. Patch on availability. Subscribe to your account’s release notifications; the May 13 wave covers most production branches.
  5. Hunt for compromise. Look for anomalous shell-history entries, new admin accounts created via the CLI, unexpected commit operations, and outbound connections from the management interface to unfamiliar IPs. Web server logs on the portal showing oversized POST bodies or repeated crashes-then-recovery patterns are consistent with exploit attempts.

Why this one matters

Network firewalls are a recurring KEV-listed soft target — Ivanti, Fortinet, Cisco, and Palo Alto have each had pre-auth root RCEs in the past 18 months. The pattern is the same each time: a captive web service in front of the device, parsing untrusted input, gets a memory-safety bug, and an attacker who reaches the portal owns the box. Until the next architectural rev that puts these portals behind a hardened, isolated TLS terminator with bounds-checked parsing, expect this class of bug to keep landing in KEV every quarter.

References