Palo Alto Networks has issued a warning about a severe buffer overflow vulnerability in its PAN-OS software, identified as CVE-2026-0300. This flaw is being actively exploited in the wild, posing a significant security threat.
The vulnerability, rated with a CVSS 4.0 score of 9.3, allows attackers to execute arbitrary code with root access on affected PA-Series and VM-Series firewalls without requiring any credentials or user intervention.
Details of the Vulnerability
This critical flaw is located in the User-ID™ Authentication Portal service of PAN-OS. Unauthorized remote attackers can send specially crafted packets, causing a buffer overflow due to an out-of-bounds write, leading to root-level code execution.
With a network attack vector and zero attack complexity, this vulnerability is highly automatable, making it a prime target for widespread exploitation. Limited exploitation has already been observed in environments where Authentication Portals are exposed to untrusted IPs and the internet.
Affected Versions and Risk Assessment
The vulnerability affects several PAN-OS versions across PA-Series and VM-Series firewalls, including specific branches of PAN-OS 10.2, 11.1, 11.2, and 12.1. Notably, Prisma Access, Cloud NGFW, and Panorama devices are not affected.
The CVSS score reaches its peak at 9.3 when the Authentication Portal is exposed to the internet. Exploitation can lead to significant impacts on confidentiality, integrity, and availability, giving attackers full control over compromised systems.
Mitigation Strategies and Patch Updates
Palo Alto Networks has announced patches will be available between May 13 and May 28, 2026, depending on the PAN-OS version. Administrators are advised to restrict Authentication Portal access to trusted internal IP addresses immediately or disable it if not essential.
A Threat Prevention Signature for PAN-OS 11.1 and higher was released on May 5, 2026, providing an added layer of security for licensed users. It is crucial for security teams to review their PAN-OS settings to assess exposure and prioritize remediation efforts.
As the risk of exploitation remains high, organizations should treat any internet-facing or untrusted-zone portals as urgent security priorities. Stay updated with Palo Alto Networks’ advisories and apply patches promptly to safeguard against this threat.
