Palo Alto Networks has confirmed that a critical zero-day in its PAN-OS software has already been used against some of its firewalls.
The flaw, CVE-2026-0300, is a buffer overflow in the User-ID Authentication Portal, also known as Captive Portal. CVSS 4.0 puts it at 9.3 if the portal is reachable from the public internet or any untrusted zone. Restricting portal access to internal IPs reduces the score to 8.7.
Specially crafted packets are enough. Sent against an unpatched portal, they trigger an out-of-bounds write that hands the attacker root-level code execution on PA-Series and VM-Series firewalls. No user interaction or credentials are needed.
“Limited exploitation” is how Palo Alto’s advisory describes the activity so far, focused on portals exposed to the internet or untrusted IPs. Security analysts have often interpreted such language as indicating intrusions by sophisticated, often state-aligned threat actors. No attackers have been named or IoCs shared at the time of writing.
Patches are scheduled to arrive in two waves. The first batch is due May 13, 2026, with the rest following on May 28. PAN-OS 10.2, 11.1, 11.2, and 12.1 are all affected. Prisma Access, Cloud NGFW, and Panorama appliances are not.
This is the latest pressure point for Palo Alto’s perimeter gear. In December 2025, the same Palo Alto and SonicWall portals were hit by a linked credential-stuffing campaign that GreyNoise traced to a single actor across both vendors.
CISA’s KEV Catalog Already Lists 13 Palo Alto Product Flaws
The pattern is not new. CISA’s Known Exploited Vulnerabilities catalog already lists 13 Palo Alto product flaws, several added during a wave of in-the-wild exploitation in 2024, some of it tied to state-sponsored groups.
Until patches land, the company recommends restricting Authentication Portal access to trusted zones, or disabling the portal entirely if it is not needed. Either move shrinks the exposed surface, since the portal is the only path that exposes the flaw.
Palo Alto’s guidance emphasized that configuration is as important as patching in this case. They also noted that default configurations are not vulnerable. But any internet-facing or untrusted-zone Authentication Portal should be treated as an emergency remediation priority.
The full list of fixed versions and release dates is in Palo Alto’s advisory.
