Palo Alto Networks has issued a security advisory highlighting a serious vulnerability in its PAN-OS software, which is currently being exploited. Known as CVE-2026-0300, this vulnerability permits unauthenticated remote code execution, posing a significant risk to systems configured with internet-accessible User-ID Authentication Portals.
Understanding the CVE-2026-0300 Vulnerability
The flaw is a buffer overflow in the User-ID Authentication Portal service of Palo Alto’s PAN-OS, affecting both PA-Series and VM-Series firewalls. An attacker could exploit this by sending specially crafted packets, allowing them to execute arbitrary code with root privileges. The vulnerability is notably severe, with a CVSS score of 9.3 when the portal is open to untrusted networks.
When the portal is restricted to trusted internal networks, the severity is slightly reduced to a CVSS score of 8.7. This highlights the importance of securing network access to sensitive services.
Impact on PAN-OS Versions
The vulnerability impacts several versions of PAN-OS, specifically versions 12.1, 11.2, 11.1, and 10.2, with various subversions affected. Palo Alto Networks has identified that the exploitation has been limited, targeting instances where the User-ID Authentication Portal remains publicly accessible.
Currently, the issue remains unpatched, but Palo Alto Networks is preparing to release updates starting May 13, 2026. Users are advised to follow security best practices to minimize exposure to this vulnerability.
Mitigation Strategies
In the interim, until patches are released, Palo Alto Networks recommends restricting access to the User-ID Authentication Portal to trusted internal IP addresses. Alternatively, if the feature is not essential, disabling the portal entirely can mitigate the risk of exploitation.
The company emphasizes that customers adhering to standard security protocols, such as limiting access to trusted zones, are significantly less vulnerable to attacks exploiting this flaw.
As the situation develops, users are encouraged to stay informed about updates and patches from Palo Alto Networks to ensure their systems remain secure.
