Palo Alto Networks has confirmed that attackers are actively exploiting a critical vulnerability in PAN-OS, the software that runs its PA-Series and VM-Series firewalls. The flaw, tracked as CVE-2026-0300 (CVSS 9.3), is a buffer overflow in the User-ID Authentication Portal. An attacker anywhere on the internet can send specially crafted packets to an exposed portal and gain full root access to the firewall — no password needed.
The company says exploitation is currently “limited,” but no patch is available yet. Fixes are scheduled for May 13, 2026. Until then, Palo Alto recommends restricting portal access to trusted networks only, or disabling the User-ID Authentication Portal entirely if your network design allows it.
How to check if you’re affected
Affected versions are PAN-OS 10.2, 11.1, 11.2, and 12.1 with the User-ID Authentication Portal or Captive Portal enabled and reachable from the internet or any untrusted network.
- Log in to your Palo Alto firewall management interface.
- Navigate to Device → User Identification → User-ID Agent Setup and check if the portal is enabled.
- If you are running PAN-OS versions before the upcoming May 13 patches, restrict portal access to internal trusted IPs immediately.
- If you use a managed firewall service, contact your provider to confirm the mitigation has been applied.
- Businesses not using Palo Alto firewalls are not affected.