Palo Alto Networks PAN-OS contains a critical vulnerability CVE-2026-0300 in the User-ID Authentication Portal service that is already being exploited in real-world attacks: an unauthenticated remote attacker can execute arbitrary code with root privileges on PA-Series and VM-Series firewalls, which is especially dangerous if the portal is accessible from the internet; there is no patch yet, so administrators of such devices must immediately either disable the portal if it is not needed, or strictly restrict access to it to trusted internal networks only.

Technical details of CVE-2026-0300

According to the Palo Alto Networks advisory, CVE-2026-0300 is a buffer overflow in the User-ID Authentication Portal (Captive Portal) service of the PAN-OS operating system. The vulnerability allows an attacker to send specially crafted network packets and, without any authentication, achieve arbitrary code execution with root privileges on:

• PA-Series devices;
• VM-Series virtual firewalls;
• provided that User-ID Authentication Portal is enabled on them.

The severity of the vulnerability is formally rated by CVSS as:

• 9.3 — if the User-ID Authentication Portal is accessible from the internet or any untrusted network;
• 8.7 — if access to the portal is restricted to trusted internal IP addresses only.

Thus, the software defect itself is the same, but the risk rating depends heavily on the network environment and the service’s exposure. Technically, this is the classic MITRE ATT&CK technique T1190 Exploit Public-Facing Application: exploitation of a network service exposed to the outside world.

The vendor emphasizes that the vulnerability:

• is already under limited exploitation in the wild;
• targets configurations where the User-ID Authentication Portal is left publicly accessible;
• does not affect devices where this service is not configured or is disabled.

At the time the advisory was published, the vulnerability was not fixed. Palo Alto Networks plans to start releasing security updates from 13 May 2026. The full list of affected PAN-OS versions is provided in the advisory on the vendor’s official page Palo Alto Networks Security Advisories. The record in the NVD database is available at NVD: CVE-2026-0300.

Impact assessment and risk profile

The key characteristic of this vulnerability is the combination of three factors:

• remote network-based exploitation;
• no authentication required at all;
• obtaining root privileges at the network perimeter.

In real-world architectures, a PAN-OS firewall often forms the first line of defense between external and internal networks. Compromising such a device with root privileges practically means losing trust in the entire network perimeter. Potential consequences include:

• Full control over traffic: interception, tampering, selective blocking or allowing of connections, injection of malicious content into data streams.
• Bypassing existing security policies: creating hidden rules, tunnels, or policies that allow data exfiltration or persistent access to go unnoticed.
• Beachhead for further lateral movement: using the compromised firewall as an intermediate point for attacks on internal servers, segments, and accounts.
• Compromise of log integrity: an attacker with root privileges can wipe traces, falsify logs, or redirect them to external systems.

Palo Alto Networks’ wording of “limited exploitation” means that attacks have already been observed but, in the vendor’s assessment, are not yet widespread and are focused on the most vulnerable configurations — where the User-ID Authentication Portal is exposed to the internet. Historically, such situations often evolve from “isolated targeted attacks to large-scale scanning” after detailed analyses or ready-made exploits appear.

Segments where the risk is particularly high:

• organizations where the User-ID Authentication Portal is used for forced user authentication when accessing the network and is exposed externally;
• infrastructures with many branches and remote users where the portal may have been placed in an internet-accessible zone “for convenience”;
• any environments where a PAN-OS firewall is the only perimeter control point and the sole segmentation barrier.

Even if the portal is accessible only from internal networks, the risk does not disappear completely: the vulnerability can be used by an attacker who has already gained access to the local network (through phishing, a compromised workstation, etc.) for rapid privilege escalation to full control over the firewall. This turns CVE-2026-0300 into a convenient “force multiplier” for other attack vectors.

Practical recommendations before patches are released

1. Immediate configuration review

The first priority is to understand on which devices a real attack vector exists:

1. Compile an inventory of all PA-Series and VM-Series firewalls running PAN-OS in your infrastructure.
2. For each device, check whether the User-ID Authentication Portal is enabled.
3. Determine from which network zones it is accessible:
   • whether there is direct access from the internet;
   • whether it is reachable from any “guest” or other untrusted networks;
   • or whether it is restricted strictly to internal addresses / VPN.

Devices with an active portal accessible from the internet or other untrusted segments should be classified as critically exposed.

2. Temporary disabling or strict access restriction

Before patches are released, there are two basic approaches to risk reduction, both recommended by the vendor:

• Completely disable the User-ID Authentication Portal if the functionality is not critical to business processes.
  • This is the most reliable and unambiguous way to eliminate the attack vector.
  • It requires assessing which services or authentication scenarios depend on this portal.
• Strictly restrict access if disabling is not possible:
  • allow access to the portal only from trusted network zones and strictly defined addresses;
  • block any access to this service from internet addresses and guest / third-party networks;
  • if necessary, place portal access behind a VPN to eliminate its direct exposure.

Even just restricting access from the internet shifts the risk from “fully remote exploitation” to “usable only after an intruder has penetrated the internal network.”

3. Preparing for PAN-OS updates

Given the announced release of fixes from 13 May 2026, it is recommended to:

• monitor publications on the Palo Alto Networks security advisory page regarding CVE-2026-0300;
• plan an unscheduled maintenance window to update all affected PAN-OS versions;
• prepare a rollback procedure in case the update causes side effects, while at the same time setting priorities:
  • first priority — devices with a portal previously accessible from the internet;
  • next — all other devices where the portal is enabled, even if it is internal-only;
  • last — devices where the User-ID Authentication Portal is not used (for them, the risk from CVE-2026-0300 is minimal).

4. Monitoring and searching for possible compromise

Although the original advisory does not provide specific IOCs, it makes sense to strengthen monitoring of PAN-OS devices:

• analyze User-ID Authentication Portal access logs for unusual sources or activity at atypical times;
• check for anomalous changes to firewall configuration (new rules, objects, policies not initiated by administrators);
• strengthen integrity monitoring and configuration backups for devices so that unauthorized changes can be detected and rolled back;
• coordinate with the SOC or an external monitoring provider to prioritize correlation of events related to PAN-OS under the Exploit Public-Facing Application technique.

If there is suspicion of a possible compromise, it is advisable to treat such a firewall as a compromised node and apply corresponding measures: isolation, forensics, rotation of keys and passwords, and inspection of internal systems for signs of further attacker movement.

While fixes for CVE-2026-0300 have not yet been released, the key step in reducing risk is to eliminate access to the User-ID Authentication Portal from the internet and any untrusted networks and, where possible, temporarily disable this service; after PAN-OS updates are released, patches should be installed as quickly as possible on all PA-Series and VM-Series devices where the portal is used, and only then should returning the portal to previous usage scenarios be considered.