Critical Vulnerability in Palo Alto Networks Firewalls Exploited to Gain Root Access
Palo Alto Networks has disclosed a critical buffer overflow vulnerability in its PAN-OS software, identified as CVE-2026-0300, which is currently being actively exploited in the wild. This flaw carries a CVSS 4.0 score of 9.3, categorizing it as critical. It allows unauthenticated attackers to execute arbitrary code with full root privileges on affected PA-Series and VM-Series firewalls without requiring credentials, user interaction, or special conditions.
Vulnerability Details
The vulnerability resides in the User-ID™ Authentication Portal (also known as Captive Portal) service of PAN-OS. An unauthenticated remote attacker can send specially crafted packets to trigger an out-of-bounds write (CWE-787), causing a buffer overflow that ultimately yields root-level code execution on the targeted firewall. With a network attack vector, zero attack complexity, and no privileges required, this flaw is fully automatable, making it an ideal candidate for mass-exploitation campaigns.
Affected Products
The vulnerability impacts multiple PAN-OS versions across PA-Series and VM-Series firewalls. Affected branches include:
– PAN-OS 10.2 — versions below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6
– PAN-OS 11.1 — versions below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15
– PAN-OS 11.2 — versions below 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12
– PAN-OS 12.1 — versions below 12.1.4-h5 and 12.1.7
Notably, Prisma Access, Cloud NGFW, and Panorama appliances are not affected. The vulnerability only applies to firewalls with the User-ID™ Authentication Portal explicitly enabled and accessible from untrusted networks.
Exploitation and Impact
Palo Alto Networks has confirmed limited exploitation targeting Authentication Portals exposed to untrusted IP addresses and the public internet. When the Authentication Portal is internet-exposed, the CVSS score reaches its maximum threat tier at 9.3. Even in adjacent-network scenarios, the score remains a severe 8.7.
Successful exploitation results in high confidentiality, integrity, and availability impacts at the product level, effectively giving threat actors complete control over the targeted firewall. The risk profile is particularly alarming given the concentrated value density of enterprise firewalls, which serve as critical network chokepoints. Compromising a perimeter firewall can facilitate lateral movement, traffic interception, credential harvesting, and a full network takeover.
Mitigation Measures
Palo Alto Networks has confirmed that patches are rolling out between May 13 and May 28, 2026, depending on the PAN-OS branch. Until patches are applied, administrators should immediately take one of the following actions:
– Restrict Authentication Portal access to trusted internal IP addresses only, following Palo Alto’s best practice guidelines.
– Disable the User-ID™ Authentication Portal entirely if it is not operationally required.
A Threat Prevention Signature for PAN-OS 11.1 and above was made available on May 5, 2026, providing an additional detection and blocking layer for organizations that have Threat Prevention licensed.
Security Recommendations
Security teams should audit their PAN-OS configurations immediately by navigating to Device > User Identification > Authentication Portal Settings to verify the status of the Authentication Portal. If the portal is enabled and accessible from untrusted networks, immediate action is required to mitigate the risk.
Given the critical nature of this vulnerability and its active exploitation, organizations are urged to prioritize patching and implement the recommended mitigation measures without delay.
