Executive Summary
CVE-2026-0300 is a critical vulnerability in Palo Alto Networks PAN-OS affecting the User-ID Authentication Portal, also known as the Captive Portal. The vulnerability is a buffer overflow / out-of-bounds write issue that can allow an unauthenticated remote attacker to execute arbitrary code with root privileges on affected PA-Series and VM-Series firewalls by sending specially crafted network packets. Palo Alto Networks has confirmed limited exploitation in the wild, especially against portals exposed to untrusted IP addresses or the public internet.
This is not a theoretical risk. The advisory lists the exploit maturity as ATTACKED, gives the vulnerability a CVSS 9.3 Critical rating, and classifies the suggested urgency as HIGHEST. Security teams should treat internet-exposed User-ID Authentication Portals as emergency remediation targets. The good news is that exposure is configuration-dependent. The issue applies only to PA-Series and VM-Series firewalls where the User-ID Authentication Portal is enabled and reachable from untrusted networks through response-page-capable interfaces. Prisma Access, Cloud NGFW, and Panorama appliances are not impacted.
What Is CVE-2026-0300?
CVE-2026-0300 is an unauthenticated, network-exploitable buffer overflow vulnerability in the PAN-OS User-ID Authentication Portal service. This portal is used to identify users who are not already mapped by other User-ID mechanisms. In many environments, it appears to users as a captive portal or authentication page.
According to Palo Alto Networks, a remote attacker can exploit the flaw by sending specially crafted packets to the vulnerable service. Successful exploitation can result in arbitrary code execution with root privileges on the firewall.
| Attribute | CVE-2026-0300 |
|---|---|
| Severity | Critical |
| CVSS | 9.3 |
| Exploit maturity | Attacked |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | None |
| User interaction | None |
| Impact | Confidentiality, integrity, and availability compromise |
| Weakness | CWE-787: Out-of-bounds Write |
| CAPEC | CAPEC-100: Overflow Buffers |
In simple terms, this is a remotely reachable firewall vulnerability that can potentially give an attacker root-level control of an affected appliance.
Why This Vulnerability Matters
Firewalls sit at critical trust boundaries. They inspect, route, block, decrypt, log, and enforce access between networks. When a vulnerability affects a firewall service that can be reached from an untrusted network, the impact can be much larger than a single compromised server.
CVE-2026-0300 is serious for four main reasons.
First, exploitation requires no authentication. An attacker does not need a username, password, stolen session, API key, or prior foothold.
Second, exploitation requires no user interaction. No phishing email, malicious attachment, or user click is needed.
Third, the attack vector is network-based. If the vulnerable portal is reachable, an attacker can attempt exploitation remotely.
Fourth, successful exploitation can lead to root privilege code execution on the firewall. That is the highest level of control on the device.
For defenders, this means the priority is not only "what PAN-OS version am I running?" but also "is the vulnerable portal exposed to places it should never be exposed?"
Affected Products
The vulnerability affects PA-Series and VM-Series firewalls running vulnerable PAN-OS versions when configured to use the User-ID Authentication Portal.
The following products are not impacted:
| Product | Status |
|---|---|
| Prisma Access | Not impacted |
| Cloud NGFW | Not impacted |
| Panorama appliances | Not impacted |
Affected PAN-OS branches include vulnerable releases in PAN-OS 12.1, 11.2, 11.1, and 10.2. Palo Alto has staged fixes across multiple hotfix and maintenance releases, with some fixed versions expected on May 13, 2026 and others on May 28, 2026, depending on branch and release train.
Exposure Conditions
A firewall is not automatically exploitable just because it runs an affected PAN-OS version. Palo Alto's advisory makes the exposure conditions very specific.
Customers are impacted if both of the following are true:
User-ID Authentication Portal is enabled. This can be checked in PAN-OS under: Device > User Identification > Authentication Portal Settings > Enable Authentication Portal
An interface management profile has Response Pages enabled and is associated with an external or internet-accessible interface. This can be checked under: Network > Interface > Select the interface > Advanced Tab > Management Interface Profile
The highest-risk scenario is a firewall where the User-ID Authentication Portal is reachable from the internet or another untrusted network. Palo Alto says limited exploitation has been observed against User-ID Authentication Portals exposed to untrusted IP addresses or the public internet.
Technical Explanation: What Is a Buffer Overflow?
A buffer overflow happens when software writes more data into a memory buffer than the buffer was designed to hold. If memory boundaries are not handled safely, the excess data can overwrite adjacent memory.
CVE-2026-0300 is categorized as CWE-787: Out-of-bounds Write. This means data can be written outside the intended memory location. In vulnerable network-facing services, this class of bug can sometimes be used to crash the process, alter program execution, or execute attacker-controlled code.
In this case, the vulnerable component is the PAN-OS User-ID Authentication Portal service. Palo Alto's advisory states that specially crafted packets can trigger the flaw and allow arbitrary code execution with root privileges.
No public exploit code is needed for this to be a high-risk issue. The vendor has already confirmed exploitation, so defenders should assume capable attackers may be able to reproduce or adapt the attack.
Exploitation Status
Palo Alto Networks reports limited exploitation targeting User-ID Authentication Portals exposed to untrusted IP addresses or the public internet. CERT-EU also warned that the vulnerability allows unauthenticated code execution with root privileges and recommends applying workarounds while patches become available.
NHS England's cyber alert describes further exploitation as highly likely, which is consistent with the pattern seen in previous edge-device vulnerabilities. Once a critical firewall vulnerability is publicly disclosed and known to be exploited, scanning and opportunistic targeting often increase quickly.
Impact: What Could an Attacker Do?
A successful exploit could allow an attacker to execute arbitrary code as root on the firewall. The exact post-exploitation behavior will depend on the attacker's goals, but root-level control of a firewall can create serious risk.
| Area | Possible consequence |
|---|---|
| Confidentiality | Access to sensitive configuration, credentials, logs, traffic metadata, certificates, or secrets |
| Integrity | Modification of firewall rules, routing, NAT policies, authentication settings, or logging behavior |
| Availability | Firewall instability, service disruption, or deliberate outage |
| Persistence | Potential installation of backdoors or changes designed to survive normal administrative review |
| Evasion | Disabling or altering security controls, logging, or inspection policies |
| Lateral movement | Using the firewall as a privileged network position to reach internal systems |
Because firewalls often sit between the internet and internal infrastructure, compromise of the appliance can undermine assumptions across the whole network.
Affected Versions and Fixed Releases
Palo Alto's advisory lists affected and planned unaffected versions across PAN-OS 12.1, 11.2, 11.1, and 10.2. The fixed releases are staged across May 13 and May 28, 2026.
PAN-OS 12.1
| Affected | Fixed / unaffected |
|---|---|
| < 12.1.4-h5 | >= 12.1.4-h5, ETA May 13 |
| < 12.1.7 | >= 12.1.7, ETA May 28 |
PAN-OS 11.2
| Affected | Fixed / unaffected |
|---|---|
| < 11.2.4-h17 | >= 11.2.4-h17, ETA May 28 |
| < 11.2.7-h13 | >= 11.2.7-h13, ETA May 13 |
| < 11.2.10-h6 | >= 11.2.10-h6, ETA May 13 |
| < 11.2.12 | >= 11.2.12, ETA May 28 |
PAN-OS 11.1
| Affected | Fixed / unaffected |
|---|---|
| < 11.1.4-h33 | >= 11.1.4-h33, ETA May 13 |
| < 11.1.6-h32 | >= 11.1.6-h32, ETA May 13 |
| < 11.1.7-h6 | >= 11.1.7-h6, ETA May 28 |
| < 11.1.10-h25 | >= 11.1.10-h25, ETA May 13 |
| < 11.1.13-h5 | >= 11.1.13-h5, ETA May 13 |
| < 11.1.15 | >= 11.1.15, ETA May 28 |
PAN-OS 10.2
| Affected | Fixed / unaffected |
|---|---|
| < 10.2.7-h34 | >= 10.2.7-h34, ETA May 28 |
| < 10.2.10-h36 | >= 10.2.10-h36, ETA May 13 |
| < 10.2.13-h21 | >= 10.2.13-h21, ETA May 28 |
| < 10.2.16-h7 | >= 10.2.16-h7, ETA May 28 |
| < 10.2.18-h6 | >= 10.2.18-h6, ETA May 13 |
How to Check Whether You Are Exposed
Security teams should evaluate exposure in two stages: version review and configuration review.
1. Identify PAN-OS versions
Inventory all PA-Series and VM-Series firewalls and record the hostname, platform, exact PAN-OS version and hotfix, whether the device has internet-facing interfaces, whether User-ID Authentication Portal is enabled, whether Response Pages are enabled on external interfaces, and current mitigation status.
Version alone is not enough. A vulnerable version without the exposed portal is lower risk than a vulnerable version with an internet-facing Captive Portal.
2. Check User-ID Authentication Portal settings
In the PAN-OS UI, go to: Device > User Identification > Authentication Portal Settings
Look for Enable Authentication Portal. This applies to both transparent and redirect modes.
3. Check interface management profiles
Go to: Network > Interface > Select the interface > Advanced Tab > Management Interface Profile
Review whether Response Pages are enabled on interfaces that can receive traffic from the internet or untrusted zones.
The key question is simple: can an untrusted host reach the User-ID Authentication Portal service?
Immediate Mitigation
Palo Alto recommends two primary mitigation paths.
Option 1: Restrict portal access to trusted internal IPs
Restrict User-ID Authentication Portal access to only trusted zones and trusted internal IP addresses. In addition, disable Response Pages in the Interface Management Profile attached to every Layer 3 interface in zones where untrusted or internet traffic can ingress. Keep Response Pages enabled only on interfaces in trusted internal zones where legitimate users' browsers need to access the portal.
This is the preferred mitigation when the User-ID Authentication Portal is required for business operations.
Option 2: Disable User-ID Authentication Portal
If the portal is not required, disable it. This is often the safest immediate action because it removes the vulnerable attack surface entirely.
Threat Prevention Coverage
Customers with a Palo Alto Networks Threat Prevention subscription can block attacks associated with this vulnerability by enabling Threat ID 510019 from Applications and Threats content version 9097-10022.
Palo Alto notes that decoder capabilities require PAN-OS 11.1 or later for Threat ID support.
Threat Prevention should not be treated as a full substitute for reducing exposure or applying fixed releases. It is a useful compensating control, especially while waiting for the appropriate fixed PAN-OS version.
Recommended Response Plan
First 24 hours
- Identify all PA-Series and VM-Series firewalls
- Determine which devices run affected PAN-OS versions
- Check whether User-ID Authentication Portal is enabled
- Identify whether Response Pages are enabled on internet-facing or untrusted interfaces
- Immediately restrict portal access to trusted internal IPs or disable the portal
- Enable Threat ID 510019 if licensed and supported
- Prioritize exposed firewalls for emergency change windows
Next 48 to 72 hours
- Monitor Palo Alto's advisory for fixed release availability
- Prepare upgrade plans for the correct PAN-OS branch
- Review firewall logs for unusual access to the Authentication Portal
- Check for unexpected configuration changes
- Validate that management and portal services are not exposed unnecessarily
- Confirm that logging and forwarding to SIEM are functioning
After patching
- Confirm the firewall is running a fixed version
- Recheck User-ID Authentication Portal exposure
- Keep Response Pages disabled on untrusted ingress interfaces unless explicitly required
- Review administrative accounts, API keys, certificates, and authentication settings
- Conduct threat hunting for suspicious activity during the exposure window
- Document remediation actions for audit and incident response records
Detection and Hunting Guidance
Palo Alto's public advisory does not provide detailed packet-level indicators of compromise. In the absence of specific IOCs, defenders should focus on exposure analysis, suspicious access patterns, and signs of appliance compromise.
| Area | Questions to ask |
|---|---|
| Exposure | Was the Authentication Portal reachable from the internet or untrusted networks? |
| Traffic | Were there unusual requests to captive portal endpoints from unfamiliar IPs? |
| Geography | Did access originate from unexpected countries or hosting providers? |
| Timing | Did suspicious traffic occur around or after May 6, 2026? |
| Configuration | Were firewall rules, management profiles, or User-ID settings changed unexpectedly? |
| Accounts | Were new admin accounts, API keys, or authentication profiles created? |
| Stability | Did the firewall experience crashes, process restarts, or unexplained service issues? |
| Logging | Were logs disabled, altered, or interrupted? |
Organizations with exposed portals should consider treating suspicious activity as potential compromise until reviewed.
Why Internet Exposure Changes the Risk
The vendor's guidance repeatedly emphasizes that risk is greatly reduced when access to the User-ID Authentication Portal is limited to trusted internal IP addresses.
A vulnerable service reachable only from a controlled internal network still deserves remediation, but it is less exposed to broad internet scanning. A vulnerable service reachable from the public internet is far more attractive to attackers because it can be found and targeted remotely.
For CVE-2026-0300, the highest-risk profile is a PA-Series or VM-Series firewall running a vulnerable PAN-OS version with User-ID Authentication Portal enabled, Response Pages enabled on an external-facing interface, and the portal reachable from untrusted IP addresses or the public internet.
If that describes any device in your environment, it should be treated as an urgent security incident response priority.
Common Mistakes to Avoid
Mistake 1: Only checking PAN-OS version. Version review is necessary, but not sufficient. Exposure depends heavily on configuration.
Mistake 2: Assuming the management interface is the only risk. This vulnerability involves the User-ID Authentication Portal and Response Pages, not just the administrative management interface.
Mistake 3: Leaving Response Pages enabled everywhere. Response Pages should not be enabled on untrusted ingress interfaces unless there is a clear, controlled need.
Mistake 4: Waiting for a patch without mitigating. Because exploitation has already been observed, exposed portals should be restricted or disabled before waiting for maintenance windows.
Mistake 5: Assuming Threat Prevention alone solves the issue. Threat ID 510019 is useful, but reducing exposure and applying fixed releases remain essential.
Practical Remediation Checklist
- ☐ Inventory all PA-Series and VM-Series firewalls
- ☐ Identify PAN-OS versions and hotfix levels
- ☐ Determine whether User-ID Authentication Portal is enabled
- ☐ Identify internet-facing or untrusted interfaces
- ☐ Check whether Response Pages are enabled on those interfaces
- ☐ Restrict portal access to trusted internal IPs
- ☐ Disable Response Pages on untrusted ingress interfaces
- ☐ Disable User-ID Authentication Portal if not required
- ☐ Enable Threat ID 510019 where supported
- ☐ Schedule upgrade to fixed PAN-OS release
- ☐ Review logs for suspicious portal access
- ☐ Hunt for unexpected configuration or account changes
- ☐ Document all actions taken
Final Takeaways
CVE-2026-0300 deserves immediate attention because it combines the traits defenders worry about most: network reachability, no authentication, no user interaction, low attack complexity, confirmed exploitation, and potential root-level code execution on perimeter firewalls.
The fastest way to reduce risk is to remove exposure. Restrict the User-ID Authentication Portal to trusted internal IP addresses, disable Response Pages on untrusted ingress interfaces, or disable the portal entirely if it is not needed. Then patch to the appropriate fixed PAN-OS release as soon as it is available for your branch.
For organizations with internet-exposed portals, this should be handled with the urgency of an actively exploited edge-device vulnerability, not as a routine patch cycle item.