CVE-2026-0300

Palo Alto Networks PAN-OS — Unauthenticated RCE via Out-of-bounds Write in Authentication Portal
🔴 CVSS 3.1  9.3 / 10 — CRITICAL 🔴 CISA Known Exploited Vulnerability

What is PAN-OS?

PAN-OS is the operating system powering Palo Alto Networks' next-generation firewalls (NGFWs), including the PA-Series hardware appliances and VM-Series virtual firewalls. These devices are deployed as network perimeter controls, data center security gateways, and internet edge firewalls across enterprises, government agencies, and critical infrastructure globally.

PAN-OS firewalls are high-value targets for attackers because they sit at network chokepoints — exploiting one typically grants an unauthenticated attacker a pivot point inside the defended network with root-level access to the security device itself.

Overview

Actively Exploited — CRITICAL (CVSS 9.3). Palo Alto Networks has confirmed limited exploitation in production environments. This vulnerability has been added to CISA's Known Exploited Vulnerabilities (KEV) Catalog on May 6, 2026 with a remediation deadline of May 9, 2026. Federal agencies are required to apply mitigations per BOD 22-01. Patches are not yet available — mitigations must be applied immediately.

CVE-2026-0300 is a buffer overflow (out-of-bounds write, CWE-787) in the User-ID Authentication Portal (also known as the Captive Portal service) of Palo Alto Networks PAN-OS. An unauthenticated remote attacker can send specially crafted packets to the portal to trigger the overflow and execute arbitrary code with root privileges on the firewall.

The vulnerability is rated CRITICAL at CVSS 9.3 and is being actively exploited in the wild. Palo Alto Networks has rated the urgency HIGHEST. Patches are expected between May 13–28, 2026 depending on the PAN-OS branch.

Affected Versions

PAN-OS Branch Vulnerable Versions Fixed Version (ETA)
PAN-OS 12.1 < 12.1.4-h5 or < 12.1.7 12.1.4-h5 / 12.1.7
PAN-OS 11.2 < 11.2.4-h17, < 11.2.7-h13, < 11.2.10-h6, or < 11.2.12 11.2.4-h17 / 11.2.12
PAN-OS 11.1 < 11.1.4-h33, < 11.1.6-h32, < 11.1.7-h6, < 11.1.10-h25, < 11.1.13-h5, or < 11.1.15 11.1.4-h33 / 11.1.15
PAN-OS 10.2 < 10.2.7-h34, < 10.2.10-h36, < 10.2.13-h21, < 10.2.16-h7, or < 10.2.18-h6 10.2.7-h34 / 10.2.18-h6

Not affected: Cloud NGFW, Prisma Access, Panorama.

Exposure Conditions

The vulnerability is only reachable when both conditions are met:

  1. User-ID Authentication Portal is enabled on the interface
  2. The interface's management profile has Response Pages enabled and is accessible from the internet

If the Authentication Portal is only reachable from trusted internal zones, the attack surface is substantially reduced — but not eliminated, as insider threats or already-compromised internal hosts could still exploit it.

Technical Details

The flaw is an out-of-bounds write (CWE-787) — a class of memory corruption vulnerability where a write operation exceeds the bounds of an allocated buffer. In PAN-OS, the Captive Portal / User-ID Authentication Portal service fails to properly validate the size or contents of attacker-controlled input in incoming packets. A crafted packet triggers a write past the end of a stack or heap buffer, overwriting adjacent memory including control structures (e.g., return addresses, function pointers).

Because the Authentication Portal runs with root privileges, successful exploitation grants the attacker code execution at the highest privilege level on the firewall OS — full device compromise.

Attribute Detail
Attack Vector Network
Authentication Required None (pre-authentication)
User Interaction None
Affected Component User-ID Authentication Portal (Captive Portal service)
Impact Root-level RCE on PA-Series / VM-Series firewalls
CWE CWE-787 — Out-of-bounds Write

Discovery

Palo Alto Networks' advisory attributes discovery to in-production exploitation, meaning the vulnerability was first identified through threat intelligence observing active attacks against real-world deployments — not through researcher-initiated responsible disclosure. This is consistent with the zero-day nature of the exploit at time of disclosure: no patch was available when CISA added it to the KEV catalog.

Exploitation Context

Palo Alto Networks confirmed limited exploitation in production as of the May 5–6, 2026 advisory publication. The combination of:

  • Pre-authentication (no credentials needed)
  • Network-accessible attack surface (Captive Portal exposed to internet in many enterprise configurations)
  • Root-level code execution on a network security appliance

makes this an extremely attractive initial-access vector for both nation-state actors and financially motivated threat groups. Firewalls with Captive Portal exposed to the public internet are discoverable via Shodan/Censys queries targeting PAN-OS management interfaces.

The 3-day CISA KEV deadline (added May 6, deadline May 9) reflects the severity of confirmed in-the-wild exploitation and the criticality of affected assets.

No patch yet available. Unlike most KEV entries where patches precede the deadline, CVE-2026-0300 patches are not expected until May 13–28, 2026 — after the BOD 22-01 deadline. Organizations must apply the workarounds below immediately and patch as soon as hotfixes are released.

Remediation

CISA BOD 22-01 Deadline: May 9, 2026. Patches are not yet available. Apply the mitigations below immediately and monitor Palo Alto Networks' advisory for patch availability (expected May 13–28, 2026).

  1. Restrict Authentication Portal access to trusted zones only — In the interface management profile, limit Response Pages to internal/trusted source IPs. Remove internet-facing exposure of the Authentication Portal immediately.

  2. Disable User-ID Authentication Portal if not needed — If Captive Portal / User-ID Authentication Portal is not actively used, disable it entirely. This eliminates the attack surface.

  3. Enable Threat Prevention (PAN-OS 11.1+ only) — Enable Threat ID 510019 on security policies covering the Authentication Portal traffic with a Threat Prevention subscription. This provides detection and blocking of known exploit attempts.

  4. Apply hotfixes as soon as released — Monitor the Palo Alto Networks advisory and apply the appropriate fixed version for your branch (10.2.x, 11.1.x, 11.2.x, or 12.1.x) as soon as it becomes available.

  5. Review firewall logs for exploitation indicators — Check for anomalous traffic to the Authentication Portal from external IPs, unexpected root-level process activity, or outbound connections from the firewall to unknown hosts.

Key Details

PropertyValue
CVE ID CVE-2026-0300
Vendor / Product Palo Alto Networks — PAN-OS
NVD Published2026-05-05
CVSS 3.1 Score9.3
SeverityCRITICAL
CWE CWE-787 — Out-of-bounds Write
CISA KEV Added2026-05-06
CISA KEV Deadline2026-05-09
Known Ransomware Use No

Required Action

CISA BOD 22-01 Deadline: 2026-05-09. Apply mitigations per vendor instructions. Until patches are available (expected May 13–28, 2026): restrict User-ID Authentication Portal access to trusted internal IP zones only, or disable the portal if not in use. Enable Threat Prevention Threat ID 510019 on PAN-OS 11.1+ with an active Threat Prevention subscription.

Timeline

DateEvent
2026-05-05CVE published; Palo Alto Networks Security Advisory released
2026-05-06Advisory updated with Threat Prevention mitigation details; Added to CISA Known Exploited Vulnerabilities catalog
2026-05-09CISA BOD 22-01 remediation deadline
2026-05-13Earliest expected patch availability (per Palo Alto Networks advisory)
2026-05-28Latest expected patch availability for all affected PAN-OS branches

References

ResourceType
Palo Alto Networks Security Advisory — CVE-2026-0300 Vendor Advisory / Patch
NVD — CVE-2026-0300 Vulnerability Database
CISA KEV Catalog Entry US Government
CWE-787 — Out-of-bounds Write Weakness Classification

Last updated: 2026-05-06

Gavin Hollinger & AI assembled this air-gap friendly HTML