Palo Alto PAN-OS CVE-2026-0300 RCE Is Being Exploited

by Emma Davis
May 15, 2026

Palo Alto Networks says CVE-2026-0300 is under limited exploitation against exposed User-ID Authentication Portals. Disable or restrict the portal while patches roll out.

Palo Alto Networks has warned that PAN-OS CVE-2026-0300 is already being exploited in limited attacks against exposed User-ID Authentication Portals. The flaw is an unauthenticated buffer overflow that can let a remote attacker run code with root privileges on affected PA-Series and VM-Series firewalls when that portal is reachable from an untrusted network.[1]

The advisory was published on May 5, 2026, with a critical CVSS 4.0 score of 9.3 and an “ATTACKED” exploit maturity rating. CERT-EU and NHS England both issued May 6 alerts repeating the same core risk: organizations should apply workarounds immediately while Palo Alto’s fixed PAN-OS builds roll out.[2][3]

What admins should do now

Cartoon showing an exposed PAN-OS User-ID portal exploited through a buffer overflow while an admin patches access
The portal was open for business. Unfortunately, business included buffer overflows.

Admins should check whether the User-ID Authentication Portal, also known as Captive Portal, is enabled under Device > User Identification > Authentication Portal Settings. If the feature is not required, disable it. If it must stay online, restrict access to trusted zones or internal IP ranges and keep it away from the public internet.[1]

The affected branches include PAN-OS 10.2, 11.1, 11.2, and 12.1 before the fixed builds listed by Palo Alto. The first patch wave is scheduled around May 13, with additional builds expected around May 28. Palo Alto says Prisma Access, Cloud NGFW, and Panorama appliances are not affected.[1]

This is another reminder that exposed infrastructure services become urgent quickly once exploitation is confirmed. Recent cases such as the cPanel & WHM authentication bypass and the Apache HTTP Server RCE risk show why perimeter-facing systems need fast mitigation even before every final patch is available.

References

  1. Palo Alto Networks Security Advisories, CVE-2026-0300 PAN-OS: User-ID Authentication Portal Buffer Overflow, published May 5, 2026.
  2. CERT-EU, Security Advisory 2026-006: Critical Vulnerability in PAN-OS, released May 6, 2026.
  3. NHS England Digital, Palo Alto Networks Releases Security Advisory for Critical Vulnerability in PAN-OS, published May 6, 2026.
  4. The Hacker News, Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution, published May 6, 2026.

Related edge-device alert: Cisco also disclosed an exploited Catalyst SD-WAN Controller authentication bypass, CVE-2026-20182, where administrators should preserve evidence and upgrade fixed releases quickly.

About the author

Emma Davis

Content editor and security writer focused on making malware-removal and scam-prevention guides easier to understand. Emma reviews structure, clarity, and source consistency before articles are published.

View all posts

Leave a Comment