CVE-2026-0300, Palo Alto Networks, PAN-OS, Zero-Day, Remote Code Execution, Buffer Overflow
Source Material: Palo Alto Networks Security Advisory | Technology: Palo Alto Networks PA-Series and VM-Series Firewalls | Targeted Industries: Agnostic / Broad
Executive Summary
On May 6, 2026, Palo Alto Networks disclosed a critical zero-day vulnerability (CVE-2026-0300) affecting the PAN-OS User-ID Authentication Portal (Captive Portal) within PA-Series and VM-Series firewalls. This vulnerability carries a CVSS score of 9.3 when the portal is exposed to untrusted networks. The flaw allows an unauthenticated remote attacker to execute arbitrary code with root privileges by sending specially crafted packets to the affected service.
Palo Alto Networks has confirmed that CVE-2026-0300 is currently under active, limited exploitation in the wild. Threat actors are specifically targeting instances where the Authentication Portal is left publicly accessible or exposed to untrusted IP addresses. As such, immediate attention may be necessary in order to prevent potential network compromise.
Official patches are not anticipated until mid-to-late May, depending on the specific PAN-OS version. Organizations utilizing PA-Series or VM-Series firewalls must immediately assess their exposure and implement required mitigations. Mitigation currently relies on restricting access to the User-ID Authentication Portal to trusted internal networks or disabling the feature entirely if it is not required for business operations.
Threat Overview and Strategic Impact
CVE-2026-0300 is an unauthenticated, remote buffer overflow vulnerability situated within the PAN-OS User-ID Authentication Portal. By sending malicious, specially crafted network packets to the exposed portal service, an attacker can achieve Remote Code Execution (RCE) with root privileges. Because firewalls act as primary network gatekeepers, a successful exploit provides threat actors with an immediate foothold into the environment. This bypasses perimeter controls and enables further network infiltration, lateral movement, or malware deployment.
The strategic impact is severe due to the widespread adoption of Palo Alto Networks appliances in enterprise environments and the confirmed active exploitation by threat actors. While the vendor notes the exploitation is currently limited, historical trends indicate that once a zero-day in a perimeter security device becomes public knowledge, broader scanning and mass-exploitation campaigns rapidly follow.
Organizations that have configured their User-ID Authentication Portals to be accessible from the public internet or untrusted zones face the highest immediate risk. Conversely, restricting the portal to trusted internal networks significantly mitigates the risk, reducing the CVSS severity rating to 8.7. This incident highlights the requirement for adhering to the principle of least privilege and minimizing the external attack surface of management and authentication interfaces.
Security Hardening and Recommendations
Until official patches are released by Palo Alto Networks (estimated to begin May 13, 2026, for select versions), organizations should implement the following workarounds immediately:
- Restrict Captive Portal Access: Immediately restrict access to the User-ID Authentication Portal so that it is only reachable from trusted, internal IP addresses or zones. Ensure no external-facing or untrusted interface has an Interface Management Profile with Response Pages enabled.
- Verify Interface Profiles: Navigate to Network > Interface > [Select Interface] > Advanced Tab. Ensure that any attached Management Interface Profile does not have “Response Pages” enabled for internet-facing or untrusted interfaces.
- Verify Redirect Host: Navigate to Device > User Identification > Captive Portal. Confirm that the “Captive Portal redirect host” is explicitly configured with an IP address or FQDN assigned to a trusted, internal firewall interface. As outlined in the How to Configure Captive Portal documentation, this host must be strictly isolated from the untrust/internet zone.
- Disable if Unused: If the User-ID Authentication Portal is not actively required for business operations, disable the feature entirely within the PAN-OS configuration to eliminate the attack surface.
- Audit Management Interfaces: Verify that all NGFW and Panorama management interfaces are properly isolated from the open internet. Ensure inbound management traffic originates only from a strictly permitted list of IP addresses, adhering to guidance from Palo Alto Networks.
Detection Strategy
Detections currently focus on monitoring anomalous traffic directed toward the User-ID Authentication Portal on exposed firewall interfaces. Analysts should look for unusual payload sizes, unexpected connection volumes to the captive portal service, or post-exploitation activities originating directly from the firewall itself (e.g., unexpected outbound connections, shell spawning, or unusual administrative logins).
How Deepwatch Protects Our Customers
Deepwatch Adversary Tactics & Intelligence (ATI) is continuously monitoring intelligence channels for the release of technical details or proof-of-concept (PoC) code associated with CVE-2026-0300. The Threat Hunting team is actively querying customer environments for indicators of exposed portals and signs of anomalous activity related to PAN-OS appliances. Any identified suspicious activity is undergoing investigation and escalation as appropriate in accordance with our response procedures.
Relevant Detections
Please visit Security Center to access the relevant detections for this activity.
Threat Hunting Leads
- Review firewall traffic logs for unexpected high-volume connections or anomalous payloads directed at the Captive Portal service port.
- Monitor firewall system logs for irregular administrative access, unexpected process creation, or unauthorized configuration modifications.
Technical Artifacts
At the time of this publication, specific Indicators of Compromise (IoCs) related to the “limited exploitation” have not been publicly detailed by Palo Alto Networks or secondary researchers.
Threat Object Mapping
Intrusion Set:
- Unknown
Attack Pattern (MITRE ATTGCK):
| Tactic | Technique | Technique ID | Associated Threat Activity |
| Initial Access | Exploit Public-Facing Application | T1190 | Exploitation of CVE-2026-0300 on exposed firewalls |
| Execution | Exploitation for Client Execution | T1203 | Remote code execution via buffer overflow |
| Privilege Escalation | Exploitation for Privilege Escalation | T1068 | Achieving root privileges on the compromised appliance |
Vulnerabilities:
- CVE-2026-0300: PAN-OS Unauthenticated Buffer Overflow Vulnerability in User-ID Authentication Portal
Malware/Tool:
- Unknown
Additional Sources
- Palo Alto Networks: Why It’s Essential to Secure Your Management Interface
- Palo Alto Networks: How to Configure Captive Portal
- The Hacker News: Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution
Share