Prepared by: Adam Skupien, Vulnerability Security Analyst | Published: Thu 07 May 2026
Palo Alto Networks has disclosed CVE-2026-0300 affecting PAN-OS PA/VM-Series firewall appliances, the vendor has confirmed the vulnerability is being actively exploited in the wild.
This is a high-impact perimeter threat: exploitation can enable attackers to compromise exposed firewall services and potentially use that foothold to pursue broader access within an environment.
At the time of reporting, no vendor patch is available, with fixes expected to begin rolling out from 13 May 2026. Until patches are released and applied, the mitigations detailed below should be implemented immediately.
Severity: Critical (CVSSv4.0 - 9.3).
Exploit status: Exploited in the wild (vendor-confirmed).
Patch status: No patch is available at the time of writing; releases are expected to begin rolling out from 13 May 2026, with additional fixed versions through 28 May 2026 depending on PAN-OS branch. Apply mitigations immediately until fixed versions are available and deployed.
Vulnerability type: Buffer overflow (CWE-787) in the User-ID Authentication Portal (also known as Captive Portal).
Impact: Unauthenticated remote code execution (RCE) with root privileges on affected devices.
Exploitation requirements/characteristics:
No authentication required.
No user interaction required.
Triggered via specially crafted network packets/requests to the Authentication Portal service.
Exposure condition: Applies when the User-ID Authentication Portal is enabled and an interface management profile with response pages enabled is associated to an external/internet-accessible interface (i.e., the portal is reachable from untrusted networks).
Affected Systems:
PA-Series firewalls.
VM-Series firewalls.
| Version | Affected | Unaffected |
| PAN-OS 12.1 | < 12.1.4-h5 < 12.1.7 |
>= 12.1.4-h5 (ETA: 05/13) >= 12.1.7 (ETA: 05/28) |
| PAN-OS 11.2 | < 11.2.4-h17 < 11.2.7-h13 < 11.2.10-h6 < 11.2.12 |
>= 11.2.4-h17 (ETA: 05/28) >= 11.2.7-h13 (ETA: 05/13) >= 11.2.10-h6 (ETA: 05/13) >= 11.2.12 (ETA: 05/28) |
| PAN-OS 11.1 | < 11.1.4-h33 < 11.1.6-h32 < 11.1.7-h6 < 11.1.10-h25 < 11.1.13-h5 < 11.1.15 |
>= 11.1.4-h33 (ETA: 05/13) >= 11.1.6-h32 (ETA: 05/13) >= 11.1.7-h6 (ETA: 05/28) >= 11.1.10-h25 (ETA: 05/13) >= 11.1.13-h5 (ETA: 05/13) >= 11.1.15 (ETA: 05/28) |
| PAN-OS 10.2 | < 10.2.7-h34 < 10.2.10-h36 < 10.2.13-h21 < 10.2.16-h7 < 10.2.18-h6 |
>= 10.2.7-h34 (ETA: 05/28) >= 10.2.10-h36 (ETA: 05/13) >= 10.2.13-h21 (ETA: 05/28) >= 10.2.16-h7 (ETA: 05/28) >= 10.2.18-h6 (ETA: 05/13) |
Not impacted:
Prisma Access.
Cloud NGFW.
Panorama.
Successful exploitation may allow an attacker to achieve root-level control of a perimeter firewall, enabling high-impact actions such as traffic interception and manipulation, security control bypass, persistence, and potential pivoting into internal networks.
Risk is highest for devices where the User-ID Authentication Portal is enabled and exposed to untrusted/public IP ranges.
Immediate mitigations:
Restrict access to the User-ID Authentication Portal to trusted internal IP addresses only, per Palo Alto best-practice guidance (this significantly reduces risk).
Disable the User-ID Authentication Portal if it is not required.
Patching:
Palo Alto Networks indicated fixed versions will begin rolling out from 13 May 2026, with additional releases through 28 May 2026 depending on the PAN-OS branch.
Inventory all PA/VM-Series devices and confirm whether User-ID Authentication Portal is enabled and reachable from untrusted/public networks.
Review firewall and network telemetry for unusual or malformed requests targeting Authentication Portal endpoints, particularly from external sources (noting that detailed public IOCs may be limited at this stage). Ensure firewall logs are forwarded to, ingested by, and actively monitored within a SIEM. If suspicious events are identified, escalate via standard incident response channels and preserve relevant logs for investigation.
MDR customers: Triskele Labs will continue tuning detections for behaviours consistent with the exploitation of CVE-2026-0300 across supported log sources.
Vulnerability Management customers: Environments will be assessed for vulnerable PAN-OS appliance versions and exposure; any findings will be communicated through priority channels