top of page

Palo Alto Networks PAN-OS Zero-Day Under Active Exploitation for Remote Code Execution

  • May 6
  • 2 min read

Key Findings


  • Critical buffer overflow vulnerability (CVE-2026-0300) in Palo Alto Networks PAN-OS is actively exploited in the wild

  • CVSS score of 9.3 allows unauthenticated remote code execution with root privileges on PA-Series and VM-Series firewalls

  • Exploitation primarily targets User-ID Authentication Portals exposed to the internet or untrusted networks

  • Patches begin rolling out May 13, 2026, with staggered availability across multiple PAN-OS versions

  • Risk significantly reduced for organizations restricting portal access to trusted internal networks only


Background


Palo Alto Networks disclosed a critical vulnerability in its PAN-OS software that represents a serious threat to organizations running vulnerable versions. The flaw exists in the User-ID Authentication Portal service, commonly referred to as the Captive Portal, which handles user authentication and device identification on firewalls. The vulnerability stems from a buffer overflow condition that can be triggered by sending specially crafted packets to the exposed service.


Vulnerability Details


CVE-2026-0300 is a buffer overflow that enables unauthenticated attackers to execute arbitrary code with root-level privileges. This is particularly dangerous because no credentials are required to exploit the flaw. The attack works by sending maliciously crafted packets to the User-ID Authentication Portal. The severity assessment reflects the portal's accessibility, with a CVSS score of 9.3 when exposed to untrusted or public networks, dropping to 8.7 when access is properly restricted to internal trusted networks.


Active Exploitation Status


Palo Alto Networks reports that limited but active exploitation has already been observed in the wild. Threat actors are specifically targeting installations where the User-ID Authentication Portal has been mistakenly exposed to the internet or untrusted IP addresses. This suggests attackers have weaponized the vulnerability and are actively scanning for vulnerable systems with internet-facing portals.


Affected Products and Versions


Multiple PAN-OS versions are impacted across several release branches. PAN-OS 12.1 versions below 12.1.4-h5 and 12.1.7 are vulnerable. PAN-OS 11.2 is affected in versions before 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12. PAN-OS 11.1 has several vulnerable branches, including versions before 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15. PAN-OS 10.2 is also affected across multiple version branches. Cloud NGFW, Prisma Access, and Panorama appliances are not impacted by this vulnerability.


Patch Timeline


Fixes are being released in stages beginning May 13, 2026, with some patches available sooner and others arriving later in May. The staggered rollout means organizations will need to monitor patch availability for their specific PAN-OS version rather than expecting a single unified fix. Some critical branches are scheduled for patches by May 13, while others extend through May 28.


Mitigation Recommendations


Until patches are applied, Palo Alto Networks strongly recommends restricting User-ID Authentication Portal access exclusively to trusted internal IP addresses. Organizations should avoid exposing this service to the internet or untrusted networks. If the portal is not required for operations, disabling it entirely provides the most effective interim protection. These best practices significantly reduce attack surface and lower the effective severity of the vulnerability.


Sources


  • https://securityaffairs.com/191748/security/palo-alto-networks-pan-os-flaw-exploited-for-remote-code-execution.html

  • https://thehackernews.com/2026/05/palo-alto-pan-os-flaw-under-active.html

  • https://thehackernews.com/2026/05/metinfo-cms-cve-2026-29014-exploited.html

  • https://www.securityweek.com/palo-alto-networks-to-patch-zero-day-exploited-to-hack-firewalls/

Recent Posts

See All

Comments


  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page