Palo Alto Networks has disclosed a critical vulnerability in its PAN-OS firewall software that is already being actively exploited in the wild. Tracked as CVE-2026-0300 and carrying a CVSS 4.0 score of 9.3 (Critical), the flaw allows unauthenticated remote attackers to execute arbitrary code with full root privileges on affected PA-Series and VM-Series firewalls — with no credentials, no user interaction, and no special pre-conditions required.
Patches are beginning to roll out on May 13, 2026, with a full remediation timeline extending to May 28, 2026, depending on the PAN-OS branch. Given active exploitation, organizations should treat this as an emergency.
Vulnerability Details: What Is CVE-2026-0300?
The vulnerability is a buffer overflow flaw (CWE-787 — Out-of-Bounds Write) residing in the User-ID Authentication Portal service of PAN-OS, also known as the Captive Portal service. This portal is typically used in enterprise environments to authenticate users before they are granted network access through the firewall.
An unauthenticated attacker can send specially crafted packets to the Authentication Portal listener, triggering an out-of-bounds write condition in memory. Successful exploitation causes a buffer overflow that yields root-level code execution on the target firewall appliance.
Because the exploit requires no authentication and no user interaction, and because Captive Portal interfaces are often exposed on internal network segments or even externally in some configurations, the attack surface is significant.
Affected Products and Versions
The following PAN-OS branches are confirmed vulnerable:
- PAN-OS 10.2 — all minor versions prior to the targeted patch release
- PAN-OS 11.1 — all minor versions prior to the targeted patch release
- PAN-OS 11.2 — all minor versions prior to the targeted patch release
- PAN-OS 12.1 — all minor versions prior to the targeted patch release
Not affected: Prisma Access, Cloud NGFW, and Panorama management appliances are confirmed not vulnerable to this specific flaw.
Active Exploitation Observed
Palo Alto Networks’ Unit 42 threat intelligence team has confirmed that CVE-2026-0300 is being actively exploited by at least one threat actor in the wild. While attribution details remain limited in the initial advisory, the nature of the flaw — unauthenticated RCE on network perimeter devices — makes it a highly attractive target for both nation-state actors and opportunistic ransomware operators looking to establish persistent access before defenders can patch.
Organizations that have their Captive Portal interfaces exposed to untrusted network segments or to the internet are at greatest risk of having already been targeted.
Patch Timeline
Palo Alto Networks is releasing patches on a branch-by-branch schedule:
- PAN-OS 10.2 and 11.1: Patches available starting May 13, 2026
- PAN-OS 11.2: Patches available starting May 16, 2026
- PAN-OS 12.1: Patches available starting May 28, 2026
Organizations running PAN-OS 12.1 face the longest wait. Palo Alto has provided interim mitigations specifically for these deployments.
Immediate Mitigations While Patching
For organizations that cannot patch immediately, Palo Alto Networks recommends the following interim steps:
- Restrict Authentication Portal access to trusted internal IP address ranges using network access control lists (ACLs). Prevent any untrusted or external IPs from reaching the Captive Portal service.
- Disable the User-ID Authentication Portal entirely if it is not operationally required in your environment. Many organizations use alternative authentication flows and do not rely on Captive Portal.
- Enable Threat Prevention signatures: Palo Alto has released Threat Prevention content updates with signatures to detect and block known exploit attempts against CVE-2026-0300. Ensure your Threat Prevention subscription is up to date.
- Review firewall logs for anomalous or unexpected activity from the Authentication Portal process, particularly any processes spawned with elevated privileges.
Why Firewall Vulnerabilities Are High Stakes
Compromising a perimeter firewall gives an attacker an exceptionally privileged position in an enterprise network. Root access on a Palo Alto PA-Series firewall means the attacker can inspect all traffic passing through the device, intercept VPN credentials, modify routing and security policies, disable threat prevention features, and use the compromised device as a pivot point for deeper network intrusion — all while remaining invisible to endpoint security tools that cannot see network-layer activity.
This is why CVE-2026-0300 must be treated as a Tier 1 emergency, not a routine vulnerability.
Conclusion
CVE-2026-0300 in Palo Alto PAN-OS represents a maximum-urgency threat: unauthenticated root-level RCE on perimeter firewall hardware, confirmed actively exploited, with a staggered patch window that leaves some organizations exposed for up to two weeks. Security teams should immediately apply available patches, implement the interim mitigations for unpatched branches, and conduct a retroactive review of firewall logs to assess whether compromise may already have occurred.