Cybersecurity giant Palo Alto Networks has issued an urgent advisory, confirming that a critical buffer overflow vulnerability within its PAN-OS software is actively being exploited in the wild. This severe flaw, identified as CVE-2026-0300, presents an unauthenticated remote code execution (RCE) risk, allowing attackers to seize control of vulnerable firewalls.
The Alarming Details of CVE-2026-0300
The vulnerability specifically targets the User-ID Authentication Portal, also known as the Captive Portal, service within Palo Alto Networks’ PAN-OS. Exploiting a buffer overflow, an unauthenticated attacker can send specially crafted packets to execute arbitrary code with root privileges on both PA-Series and VM-Series firewalls. This means a complete compromise of the affected device.
The severity of this flaw is underscored by its CVSS score. It registers a critical 9.3 if the User-ID Authentication Portal is configured to be accessible from the internet or any untrusted network. Even when access is restricted to trusted internal IP addresses, the vulnerability remains high-severity, scoring 8.7.
Active Exploitation Confirmed
Palo Alto Networks has confirmed “limited exploitation” of CVE-2026-0300. The attacks specifically target instances where the User-ID Authentication Portal has been inadvertently left publicly accessible, highlighting the critical importance of adhering to security best practices.
Affected PAN-OS Versions
Organizations running the following PAN-OS versions are urged to take immediate action:
- PAN-OS 12.1: Versions earlier than 12.1.4-h5 and 12.1.7
- PAN-OS 11.2: Versions earlier than 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12
- PAN-OS 11.1: Versions earlier than 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15
- PAN-OS 10.2: Versions earlier than 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6
It’s crucial to note that this vulnerability exclusively impacts PA-Series and VM-Series firewalls configured to utilize the User-ID Authentication Portal.
Immediate Mitigations and Upcoming Patch
As of now, a permanent patch for CVE-2026-0300 is not yet available. Palo Alto Networks anticipates releasing fixes starting May 13, 2026. In the interim, immediate mitigation strategies are vital to protect your infrastructure:
- Restrict Access: Limit User-ID Authentication Portal access to only trusted internal networks or specific trusted zones. This significantly reduces the attack surface.
- Disable if Unnecessary: If the User-ID Authentication Portal is not a critical component of your network operations, disable it entirely until a patch can be applied.
Palo Alto Networks emphasizes that customers who already follow standard security best practices, such as restricting sensitive portals to trusted internal networks, are at a greatly reduced risk. Proactive security posture remains the strongest defense.
Stay informed and follow official advisories from Palo Alto Networks for the latest updates on this critical vulnerability.
For more details, visit our website.
Source: Link
Leave a comment