Palo Alto Networks disclosed CVE-2026-0300 on May 6, 2026, a critical buffer overflow in the User-ID Authentication Portal (Captive Portal) service of PAN-OS that allows an unauthenticated remote attacker to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls. The company confirmed that active, limited exploitation has already been detected in the wild against internet-accessible portal instances. No patch is available; fixes are scheduled for release on May 13, 2026.
CVE-2026-0300: Buffer Overflow in PAN-OS Captive Portal Grants Root-Level Code Execution Without Authentication
The vulnerability is a buffer overflow in the User-ID Authentication Portal — the Captive Portal component — of PAN-OS versions 10.2, 11.1, 11.2, and 12.1. An unauthenticated attacker can send specially crafted packets to the exposed portal to trigger the overflow and execute arbitrary code with root privileges on the underlying firewall appliance. Both PA-Series hardware appliances and VM-Series virtual firewalls running the affected PAN-OS versions are impacted.
Palo Alto Networks assigned the vulnerability a CVSS score of 9.3 when the portal is accessible from the internet and 8.7 when restricted to trusted internal network ranges. The higher score reflects that publicly exposed configurations face direct exploitation risk with no authentication requirement.
Exploitation Status: Active and Limited, Targeting Public-Facing Portal Instances
Palo Alto Networks confirmed that active exploitation of CVE-2026-0300 has been detected, described as limited and targeting internet-accessible Captive Portal configurations. No specific victim organizations were named in the disclosure. The exploitation pattern targets firewall deployments where the User-ID Authentication Portal is reachable from untrusted or public IP ranges — a configuration common in enterprise guest network and contractor authentication deployments.
Organizations whose Captive Portal is restricted to trusted internal zones face a lower CVSS score of 8.7 and are not directly exploitable from the internet, though they remain vulnerable to exploitation by any attacker who already has access to trusted network segments.
Interim Mitigation: Restricting Portal Access to Trusted Zones Is the Only Available Control Until May 13
With no patch available until May 13, 2026, the sole interim mitigation Palo Alto Networks has identified is restricting the User-ID Authentication Portal to trusted zones only, or disabling it entirely on deployments where it is not in active use. This configuration change moves the vulnerability from a CVSS 9.3 directly exploitable condition to a CVSS 8.7 condition requiring trusted-network access.
Organizations relying on Captive Portal for guest or contractor authentication workflows who cannot immediately restrict access face an unpatched, actively exploited attack surface on their perimeter firewall. The gap between the May 6 disclosure and the May 13 patch availability represents a minimum eight-day window during which configuration mitigations are the only available defense.
Why Unauthenticated Root Execution on a Perimeter Firewall Carries Outsized Risk
Root-level code execution on a PA-Series or VM-Series firewall grants control of the device that enforces network perimeter policy, terminates VPN sessions, and manages traffic flows between external and internal network segments. An attacker with root access to the firewall can modify security rules, access authentication and credential caches maintained by the User-ID service, disable logging, and use the firewall’s trusted internal network position to pivot into protected network segments behind the perimeter.
Affected PAN-OS Versions and What Organizations Should Prioritize
CVE-2026-0300 affects PAN-OS 10.2, 11.1, 11.2, and 12.1 running on PA-Series and VM-Series platforms. Organizations should immediately audit Captive Portal configurations across these versions to determine whether the portal is accessible from untrusted or internet-facing zones.
Palo Alto Networks is the authoritative source for patch availability and version-specific remediation guidance, with fixes scheduled for May 13, 2026. Organizations should monitor the Palo Alto Networks Security Advisories portal for updates on and after that date.
