CVE-2026-0300: A Critical Zero-Day Vulnerability in Palo Alto Networks Firewalls
Palo Alto Networks has warned customers of a critical-severity unpatched vulnerability in the PAN-OS User-ID Authentication Portal, also known as the Captive Portal. This vulnerability, tracked as CVE-2026-0300, is a buffer overflow weakness that allows unauthenticated attackers to execute arbitrary code with root privileges on Internet-exposed PA-Series and VM-Series firewalls via specially crafted packets.
According to Palo Alto Networks, limited exploitation of this vulnerability has been observed, targeting User-ID Authentication Portals that are exposed to untrusted IP addresses and/or the public internet. However, customers who follow standard security best practices, such as restricting sensitive portals to trusted internal networks, are at a greatly reduced risk.
Exposure of PAN-OS Firewalls
Internet threat watchdog Shadowserver is currently tracking over 5,800 PAN-OS VM-series firewalls exposed online, with the majority located in Asia (2,466) and North America (1,998). This exposure highlights the potential risk of exploitation, as attackers can easily identify and target vulnerable firewalls.
Mitigation and Recommendations
Palo Alto Networks has flagged this vulnerability as the highest possible severity and recommends that customers secure the User-ID Authentication Portal by restricting access to trusted zones only or disabling the portal if that's not possible. Admins can quickly check whether their firewalls are configured to use the vulnerable service from the User-ID Authentication Portal Settings page, found under Device > User Identification > Authentication Portal Settings -> Enable Authentication Portal.
Until a patch is available, customers are advised to take immediate action to mitigate the risk of exploitation. This includes restricting access to the User-ID Authentication Portal and monitoring for any suspicious activity.
History of PAN-OS Firewall Vulnerabilities
PAN-OS firewalls have frequently been targeted in attacks, often exploiting zero-day security vulnerabilities. In November 2024, Shadowserver revealed that thousands of firewalls had been compromised in attacks that chained two PAN-OS firewall zero-days. One month later, Palo Alto Networks warned that hackers were exploiting another PAN-OS DoS flaw to target PA-Series, VM-Series, and CN-Series firewalls, forcing them to reboot and disable firewall protections.
Soon after, in February, attackers switched to abusing three other PAN-OS flaws to compromise Palo Alto Networks firewalls with internet-facing management interfaces. These incidents highlight the importance of staying vigilant and taking proactive measures to protect against potential vulnerabilities.
Statement from Palo Alto Networks
This vulnerability is specific to a limited number of customers with their User-ID Authentication Portal (Captive Portal) exposed to the public internet or untrusted IP addresses. We have observed limited exploitation of this issue and are working to release software fixes, with the first updates expected to be available on May 13, 2026. We have provided clear mitigation guidance to our customers to secure their environments immediately. This issue does not impact Cloud NGFW or Panorama appliances. We remain committed to a transparent, security-first approach to protect our global customer base.
Palo Alto Networks says its products and services are used by more than 70,000 customers worldwide, including 90% of Fortune 10 companies and most of the largest U.S. banks. As such, it is essential for customers to take immediate action to protect themselves against this vulnerability.
Conclusion
The CVE-2026-0300 vulnerability in Palo Alto Networks firewalls is a critical-severity issue that requires immediate attention. Customers are advised to take proactive measures to mitigate the risk of exploitation, including restricting access to the User-ID Authentication Portal and monitoring for suspicious activity. With the potential for widespread exploitation, it is essential for organizations to stay vigilant and prioritize their security posture.
Source: BleepingComputer