Palo Alto Networks has disclosed a critical buffer overflow vulnerability, tracked as CVE-2026-0300, in the User-ID Authentication Portal (formerly known as Captive Portal) component of PAN-OS software running on PA-Series and VM-Series next-generation firewalls. The flaw permits an unauthenticated remote attacker to execute arbitrary code with root privileges on the firewall by transmitting specially crafted network packets to a reachable Authentication Portal interface. Palo Alto Networks confirmed limited in-the-wild exploitation prior to the advisory's publication on May 5, 2026, and the vulnerability was added to the U.S. Cybersecurity and Infrastructure Security Agency Known Exploited Vulnerabilities Catalog the following day with a Federal Civilian Executive Branch remediation deadline of May 9, 2026.
The defect is an out-of-bounds write (CWE-787) within the portal's request-handling path that allows attacker-controlled data to corrupt memory and redirect execution flow inside the privileged user-identification service. Successful exploitation yields full administrative control of the firewall data plane, including the ability to read, modify, or disable security policy, decrypt or capture transiting traffic, persist tooling on the appliance, and pivot deeper into management and protected network segments. Palo Alto Networks assigned a CVSS v4.0 base score of 9.3 (Critical) when the portal is reachable from the public internet or other untrusted networks, with the score reduced to 8.7 when access is restricted to trusted internal addresses; the National Vulnerability Database has not yet published a CVSS v3.1 score for this issue.
This vulnerability is particularly severe for industrial, energy, and critical-infrastructure operators because PA-Series and VM-Series firewalls frequently sit at the perimeter between corporate IT, demilitarized zones, and operational technology (OT) networks, where compromise of the gateway can collapse multiple zones of trust simultaneously. Patches began rolling out on May 13, 2026, with full coverage across the affected PAN-OS branches scheduled to complete by May 28, 2026, and Palo Alto Networks has issued interim configuration guidance and a Threat Prevention signature (Threat ID 510019) to reduce exposure during the patch window. Cloud NGFW, Prisma Access, and Panorama management appliances are not affected by this issue.
CVE-2026-0300, with a CVSS v4.0 score of 9.3, is an unauthenticated, network-reachable buffer overflow in the User-ID Authentication Portal service that processes captive-portal redirection traffic and end-user identity challenges on PAN-OS firewalls. By sending malformed packets to the portal listener, an attacker can corrupt memory in the privileged user-identification process and execute arbitrary code with root privileges on the underlying firewall data plane, with no prior authentication, user interaction, or access to administrative interfaces required. The vulnerability affects PAN-OS 12.1 versions prior to 12.1.4-h5 and 12.1.7, PAN-OS 11.2 versions prior to 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12, PAN-OS 11.1 versions prior to 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15, and PAN-OS 10.2 versions prior to 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6, when running on PA-Series hardware or VM-Series virtual appliances. Palo Alto Networks Unit 42 has confirmed limited exploitation in the wild, with telemetry indicating opportunistic scanning followed by targeted intrusions against firewalls whose Authentication Portals were reachable from arbitrary public IP space. The exploit maturity has been formally categorized as ATTACKED, and the CISA KEV listing on May 6, 2026, confirms that exploitation has crossed the threshold from proof-of-concept to operational use against production environments. Palo Alto Networks credited its Deep Product Security Research Team, Unit 42, and the Xpanse Internet Listening Initiative for discovery and triage of the issue.
A successful compromise of an exposed PAN-OS firewall through CVE-2026-0300 grants an adversary root-level control of a security-critical perimeter device, which in operational terms means the attacker can disable or modify firewall rules, suppress logging, intercept and decrypt SSL-decrypted traffic, capture credentials transiting the device, deploy persistent implants on the appliance, and use the firewall as a trusted launch point for lateral movement into internal corporate, management, and OT segments. For organizations that rely on PAN-OS firewalls to enforce Purdue-model zone separation between business systems and industrial control systems, the loss of the gateway effectively eliminates the engineered boundary, exposes engineering workstations and historians to direct attack, and creates a path for adversary tradecraft to reach safety-instrumented and process-control assets. The pre-patch exposure window is significant because patches did not begin shipping until May 13, 2026, while exploitation has been observed in the wild since at least early May.
From a compliance and regulatory standpoint, exploitation of this vulnerability is reportable under multiple frameworks that govern critical-infrastructure and regulated entities, including NERC CIP-007 for malicious-code prevention and CIP-008 for incident reporting in the bulk electric system, the U.S. Securities and Exchange Commission cyber-incident disclosure rule for materially impacted public companies, the EU NIS2 Directive for essential and important entities, the Cyber Incident Reporting for Critical Infrastructure Act for covered entities once the rule is enforced, and HIPAA Security Rule notifications where firewalls protect electronic protected health information. The CISA KEV listing also imposes a binding patch or mitigation deadline of May 9, 2026, on Federal Civilian Executive Branch agencies under Binding Operational Directive 22-01, and contractors operating federal systems should treat that timeline as the de facto industry standard for remediation urgency.
Organizations operating PAN-OS firewalls should treat CVE-2026-0300 as an emergency patching event and apply the following actions in order of priority:
1. Inventory all PA-Series and VM-Series firewalls running PAN-OS 10.2, 11.1, 11.2, or 12.1, and confirm whether the User-ID Authentication Portal (Captive Portal) feature is configured on any zone or interface; treat any device with the portal enabled as in-scope until patched.
2. Immediately restrict the Authentication Portal so that the listener is reachable only from trusted internal IP ranges, remove any security policy that allows the portal address from untrusted, internet, or extranet zones, and disable Response Pages on untrusted interfaces; if the portal is not actively used for user identification, disable it entirely until patches are deployed.
3. Apply the vendor-released fixed PAN-OS hotfix appropriate to your branch as soon as it becomes available within the May 13–28, 2026 release window — 12.1.4-h5, 12.1.7, 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, 11.2.12, 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, 11.1.15, 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, or 10.2.18-h6 — and prioritize internet-facing devices first.
4. On firewalls running PAN-OS 11.1 or later, enable Threat Prevention signature Threat ID 510019 in blocking mode on policies that govern traffic toward the Authentication Portal, and validate the signature is hitting before relying on it as a compensating control.
5. Hunt for prior compromise by reviewing PAN-OS system, configuration, and management-plane logs for unexpected administrative sessions, configuration changes, new local administrators, dynamic-update anomalies, or outbound connections from the data plane to unknown infrastructure during the period since exposure began, and capture forensic images of any device suspected of compromise before patching to preserve evidence.
These five steps reduce the probability of opportunistic exploitation, accelerate remediation of the underlying defect, and ensure that any pre-existing compromise is detected before it can be obscured by the patching activity itself.
1898 & Co. is actively tracking CVE-2026-0300 and the associated exploitation campaign, and our Managed Threat Protection and Response team has already enriched detections to surface anomalous traffic to and from PAN-OS Authentication Portals across monitored client environments. We are reviewing telemetry from network-edge sensors, firewall syslog feeds, and endpoint telemetry on management-plane hosts to identify any indicators consistent with the limited exploitation activity disclosed by Palo Alto Networks Unit 42, and we will issue targeted client notifications where exposure or suspect activity is observed.
For client engagements that include perimeter and OT-DMZ architecture review, our consulting team is producing tailored guidance on portal exposure assessment, hotfix scheduling, and compensating-control validation for environments that cannot patch within the vendor-recommended window. We are coordinating with clients in regulated sectors — electric, oil and gas, water, and manufacturing — to align remediation timelines with maintenance windows, change-management requirements, and applicable regulatory reporting obligations such as NERC CIP-008 and CIRCIA.
Clients with active retainers should engage their assigned 1898 & Co. consultant to validate firewall inventory, confirm that the Authentication Portal is not exposed to untrusted networks, schedule rapid hotfix deployment, and review historical logs for indicators of pre-patch compromise. Clients without an active retainer who require emergency assistance can contact 1898 & Co. directly to engage incident-response or perimeter-hardening services on a project basis.
2. CISA Known Exploited Vulnerabilities Catalog — CVE-2026-0300