Palo Alto Networks has issued a critical alert regarding a buffer overflow vulnerability, CVE-2026-0300, within its PAN-OS software. This flaw, which allows for unauthenticated remote code execution, has already been observed under limited exploitation in the wild, posing a significant risk to affected firewall systems. The company emphasized that the vulnerability targets specific configurations of its User-ID Authentication Portal.
The reported exploitation specifically targets instances where the User-ID Authentication Portal is publicly accessible. A buffer overflow vulnerability in this service allows an unauthenticated attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls. The severity of CVE-2026-0300 is rated at CVSS 9.3 when the User-ID Authentication Portal is configured for internet or untrusted network access, decreasing to 8.7 if access is confined to trusted internal IP addresses.
Palo Alto PAN-OS Flaw Exploited in the Wild
The critical vulnerability, identified as CVE-2026-0300, affects several versions of PAN-OS. Palo Alto Networks has indicated that the exploitation is limited and primarily targets environments where the User-ID Authentication Portal is exposed to the public internet. This unauthenticated remote code execution vulnerability can be triggered by sending specially crafted packets to the affected firewalls.
Affected versions of PAN-OS include:
- PAN-OS 12.1: Versions prior to 12.1.4-h5 and 12.1.7
- PAN-OS 11.2: Versions prior to 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12
- PAN-OS 11.1: Versions prior to 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15
- PAN-OS 10.2: Versions prior to 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6
The vulnerability is specifically applicable to PA-Series and VM-Series firewalls that are configured to use the User-ID Authentication Portal. Palo Alto Networks stated that customers adhering to standard security best practices, such as limiting access to sensitive portals to trusted internal networks, face a significantly reduced risk.
Mitigation and Patching Timeline
As of the advisory’s release, a patch for CVE-2026-0300 is not yet available. Palo Alto Networks has announced that fixes are scheduled to begin rolling out on May 13, 2026. In the interim, users are strongly advised to implement immediate mitigation strategies.
The company recommends two primary courses of action for organizations using affected PAN-OS versions. Firstly, systems administrators should restrict access to the User-ID Authentication Portal to only trusted network zones. This step is crucial to limit the attack surface and reduce the likelihood of exploitation. Secondly, if the User-ID Authentication Portal is not a required function for the firewall’s operation, it should be disabled entirely until patches can be applied.
The ongoing cybersecurity landscape continues to emphasize the importance of proactive security measures and timely patching. The exploitation of this critical vulnerability underscores the persistent threats faced by network infrastructure and highlights the need for organizations to closely monitor security advisories from their vendors. The upcoming release of patches by Palo Alto Networks on May 13, 2026, will be a key development for affected customers to monitor and implement as quickly as possible to secure their systems against potential remote code execution attacks.