Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution

Published:

6 mei 2026 om 06:14:00

Alert date:

6 mei 2026 om 08:00:47

Source:

thehackernews.com

Network Infrastructure, Zero-Day Vulnerabilities

Palo Alto Networks has issued an advisory warning about CVE-2026-0300, a critical buffer overflow vulnerability in PAN-OS software that is being actively exploited in the wild. The vulnerability allows for unauthenticated remote code execution and has a CVSS score of 9.3. The flaw specifically affects systems where the User-ID Authentication Portal is configured to enable access from the internet. This represents a significant security risk for organizations using affected Palo Alto firewall systems.

Technical details

Buffer overflow vulnerability in the User-ID Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows unauthenticated remote code execution with root privileges on PA-Series and VM-Series firewalls by sending specially crafted packets. CVSS score of 9.3 if portal is internet-accessible, 8.7 if restricted to trusted internal IP addresses. Currently under limited exploitation targeting publicly accessible User-ID Authentication Portals.

Mitigation steps:

Restrict User-ID Authentication Portal access to only trusted zones or disable it entirely if not required. Follow standard security best practices by restricting sensitive portals to trusted internal networks. Apply patches when available starting May 13, 2026.

Affected products:

Palo Alto Networks PAN-OS 12.1 (< 12.1.4-h5
< 12.1.7)
Palo Alto Networks PAN-OS 11.2 (< 11.2.4-h17
< 11.2.7-h13
< 11.2.10-h6
< 11.2.12)
Palo Alto Networks PAN-OS 11.1 (< 11.1.4-h33
< 11.1.6-h32
< 11.1.7-h6
< 11.1.10-h25
< 11.1.13-h5
< 11.1.15)
Palo Alto Networks PAN-OS 10.2 (< 10.2.7-h34
< 10.2.10-h36
< 10.2.13-h21
< 10.2.16-h7
< 10.2.18-h6)
PA-Series firewalls
VM-Series firewalls