High

Palo Alto Networks has disclosed a critical security vulnerability, tracked as CVE-2026-0300, affecting its PAN-OS firewall software. The flaw is a buffer overflow vulnerability (CWE-787) located within the User-ID Authentication Portal, also known as the Captive Portal service. It carries a severe CVSS 4.0 score (Critical) and is particularly dangerous because it allows unauthenticated remote attackers to execute arbitrary code with full root-level privileges. Exploitation requires no credentials, no user interaction, and no complex attack conditions, making it highly attractive for automated large-scale attacks. Palo Alto has also confirmed that the vulnerability is already being actively exploited in the wild, significantly increasing the urgency for remediation.

The vulnerability specifically affects internet-facing or untrusted-network-accessible Authentication Portal instances running vulnerable PAN-OS versions across both PA-Series and VM-Series firewalls. Impacted versions include multiple releases across PAN-OS 10.2, 11.1, 11.2, and 12.1 branches, with fixed versions already identified for each release train. The issue does not affect Prisma Access, Cloud NGFW, or Panorama appliances. The severity becomes especially critical when the Authentication Portal is exposed directly to the public internet, where the attack vector is fully network-based and highly automatable. Even in restricted adjacent-network scenarios, the risk remains extremely high due to the potential for root-level compromise.

Successful exploitation grants attackers complete administrative control over the targeted firewall, enabling extensive post-compromise activities such as traffic interception, credential harvesting, configuration manipulation, lateral movement, and broader network compromise. Since enterprise firewalls act as strategic security gateways and network chokepoints, compromising them gives adversaries a powerful foothold for surveillance, persistence, and full infrastructure takeover. The vulnerability’s active exploitation status, combined with its low attack complexity and high privilege impact, makes it one of the most critical firewall security threats disclosed in recent months.

To mitigate the risk, Palo Alto Networks has scheduled security patches for release between May 13 and May 28, 2026, depending on the affected PAN-OS branch. Until patches are applied, organizations are strongly advised to immediately restrict Authentication Portal access to trusted internal IP addresses or disable the feature entirely if it is not operationally necessary. For customers with licensed Threat Prevention, a protection signature released on May 5, 2026, provides an additional detection and blocking layer for PAN-OS 11.1 and later. Security teams should urgently audit firewall configurations via Device > User Identification > Authentication Portal Settings to identify exposure, as any externally accessible Authentication Portal should be treated as a high-priority emergency remediation case due to confirmed in-the-wild exploitation.