Entrar
CVE-2026-0300: Palo Alto PAN-OS Zero-Day Enables Root RCE on Exposed Firewalls
Edge security appliances remain high-value targets, especially when a flaw can be exploited before a patch is widely available. The CVE-2026-0300 vulnerability is a critical buffer overflow in the User-ID Authentication Portal, also known as Captive Portal, in Palo Alto Networks PAN-OS. Palo Alto rates it 9.3/10 when the portal is exposed to the internet or other untrusted networks, and says an unauthenticated attacker can execute arbitrary code with root privileges on affected PA-Series and VM-Series firewalls by sending specially crafted packets.
For teams beginning CVE-2026-0300 analysis, the most important details for CVE-2026-0300 are the exposure conditions: the issue applies only when User-ID Authentication Portal is enabled, and Palo Alto says risk is greatly reduced when access is limited to trusted internal IP addresses. The company also says limited exploitation has already been observed against portals exposed to untrusted IP space or the public internet.
In practice, CVE-2026-0300 affects only PA-Series and VM-Series firewalls configured to use the User-ID Authentication Portal. Prisma Access, Cloud NGFW, and Panorama are not impacted, which makes configuration review as important as version review when triaging exposure.
CVE-2026-0300 analysis
The vulnerability in CVE-2026-0300 is a buffer overflow in PAN-OS’s User-ID Authentication Portal service. According to Palo Alto, exploitation does not require credentials or user interaction, and the attacker’s goal is remote code execution as root through specially crafted network packets. SecurityWeek likewise describes the flaw as a zero-day used to hack some firewall models, underscoring that this is not a theoretical issue.
The publicly described CVE-2026-0300 payload is not a malware file dropped to disk but a malicious packet sequence sent to the Captive Portal component. Neither the vendor advisory nor the cited media reports includes a public CVE-2026-0300 poc, but the confirmed in-the-wild exploitation means defenders should assume capable threat actors already understand the triggering conditions well enough to weaponize them.
From a risk standpoint, CVE-2026-0300 detection should focus on externally reachable Authentication Portal instances and signs of attempted access to that service from untrusted networks. Palo Alto’s advisory does not publish packet-level CVE-2026-0300 iocs, so defenders are better served by identifying exposed portal configurations, narrowing allowed source IP ranges, and prioritizing internet-facing firewalls for remediation.
CVE-2026-0300 Mitigation
Effective CVE-2026-0300 mitigation starts with reducing exposure before fixes land. Palo Alto recommends either restricting User-ID Authentication Portal access to trusted zones/internal IP addresses or disabling the portal entirely if it is not required. That advice is especially important because, at disclosure, the flaw was still unpatched, with the first wave of fixes expected on May 13, 2026 and additional releases on May 28, 2026 across supported 12.1, 11.2, 11.1, and 10.2 trains.
To Detect CVE-2026-0300 exposure in your environment, verify whether Device > User Identification > Authentication Portal Settings has the portal enabled and determine whether it is reachable from the internet or any untrusted network segment. Palo Alto’s advisory makes clear that customers following this hardening model are at greatly reduced risk compared with deployments that leave the service publicly accessible.
Organizations should also map affected firewalls to Palo Alto’s target fixed versions and prepare an upgrade plan as soon as the relevant release becomes available. Because limited exploitation is already underway, this is a case where configuration hardening and emergency change control should happen in parallel rather than waiting for normal maintenance windows.
FAQ
What is CVE-2026-0300 and how does it work?
CVE-2026-0300 is a critical PAN-OS buffer overflow in the User-ID Authentication Portal (Captive Portal). Palo Alto says an unauthenticated attacker can send specially crafted packets to the service and achieve arbitrary code execution with root privileges on affected PA-Series and VM-Series firewalls.
When was CVE-2026-0300 first discovered?
Palo Alto’s advisory says the issue was discovered in production use and was published on May 5, 2026. The public coverage from The Hacker News and SecurityWeek followed on May 6, 2026.
What is the impact of CVE-2026-0300 on systems?
The impact is severe: unauthenticated remote code execution as root on exposed firewalls. Because the flaw affects security infrastructure at the network edge, successful exploitation could give an attacker privileged control over a highly sensitive enforcement point.
Can CVE-2026-0300 still affect me in 2026?
Yes. Any affected PA-Series or VM-Series firewall can still be at risk in 2026 if it has User-ID Authentication Portal enabled and exposed to untrusted IP addresses or the public internet, especially until the relevant patched PAN-OS release is installed.
How can I protect myself from CVE-2026-0300?
Restrict User-ID Authentication Portal access to trusted internal IPs, disable it if it is unnecessary, and move to Palo Alto’s fixed PAN-OS builds as soon as they are available for your release train. The vendor explicitly says these steps materially reduce risk while active exploitation continues.
The post CVE-2026-0300: Palo Alto PAN-OS Zero-Day Enables Root RCE on Exposed Firewalls appeared first on SOC Prime.
