Palo Alto Networks Releases Security Advisory for Critical Vulnerability in PAN‑OS

CVE‑2026‑0300 enables unauthenticated remote code execution with root privileges on exposed Palo Alto PAN‑OS firewalls

Threat ID:: CC-4777
Threat Severity:: High
Published:: 6 May 2026 1:00 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

CVE‑2026‑0300 enables unauthenticated remote code execution with root privileges on exposed Palo Alto PAN‑OS firewalls

Affected platforms

The following platforms are known to be affected:

Palo Alto Networks PAN-OS

PAN-OS version 12.1

Prior to 12.1.4-h5
Prior to 12.1.7

PAN-OS version 11.2

Prior to 11.2.4-h17
Prior to 11.2.7-h13
Prior to 11.2.10-h6
Prior to 11.2.12

PAN-OS version 11.1

Prior to 11.1.4-h33
Prior to 11.1.6-h32
Prior to 11.1.7-h6
Prior to 11.1.10-h25
Prior to 11.1.13-h5
Prior to 11.1.15

PAN-OS version 10.2

Prior to 10.2.7-h34
Prior to 10.2.10.-h36
Prior to 10.2.13-h21
Prior to 10.2.16-h7
Prior to 10.2.18-h6

Note: Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.

Threat details

Exploitation of CVE-2026-0300

Palo Alto is aware of limited in‑the‑wild exploitation of CVE‑2026‑0300, targeting internet‑exposed User‑ID Authentication Portals.

The NHS England National CSOC assesses further exploitation as highly likely.

Introduction

Palo Alto Networks has released a security advisory to address a critical vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software. Successful exploitation could allow a remote unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.

CVE-2026-0300 - "Buffer overflow" vulnerability - CVSSv4 score: 9.3

Threat updates

Date	Update
14 May 2026	First batch of updates released by Palo Alto

Remediation advice

Affected organisations must review the Palo Alto Networks advisory CVE‑2026‑0300 PAN‑OS: Unauthenticated user initiated Buffer Overflow Vulnerability in User‑ID Authentication Portal and complete the remediation steps detailed below.

Remediation steps

Type	Step
Action	1. Required: Apply mitigations Affected organisations must disable the User-ID™ Authentication Portal if this service is not required. If disabling is not possible, organisations must restrict access to the User-ID™ Authentication Portal to only trusted zones. https://security.paloaltonetworks.com/CVE-2026-0300
Patch	2. Strongly encouraged: Apply patches Affected organisations are strongly encouraged to apply the patches for relevant versions when they are released. Note: Palo Alto Networks expects patches to be released on 13 May and 28 May. Please review Palo Alto Network's advisory for further details. A threat update will be issued when these patches become available. https://security.paloaltonetworks.com/CVE-2026-0300

Type

Step

Action

1. Required: Apply mitigations

Affected organisations must disable the User-ID™ Authentication Portal if this service is not required.

If disabling is not possible, organisations must restrict access to the User-ID™ Authentication Portal to only trusted zones.

https://security.paloaltonetworks.com/CVE-2026-0300

Patch

2. Strongly encouraged: Apply patches

Affected organisations are strongly encouraged to apply the patches for relevant versions when they are released.

Note: Palo Alto Networks expects patches to be released on 13 May and 28 May. Please review Palo Alto Network's advisory for further details. A threat update will be issued when these patches become available.

https://security.paloaltonetworks.com/CVE-2026-0300

Definitive source of threat updates

https://security.paloaltonetworks.com/CVE-2026-0300

CVE Vulnerabilities

Status Reserved

CVE-2026-0300

A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.

Last edited: 14 May 2026 2:26 pm