Palo Alto Networks PAN-OS contains an out-of-bounds write vulnerability in the User-ID Authentication Portal (aka Captive Portal) service that can allow an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.
FREQUENTLY ASKED
What is CVE-2026-0300 and why does it matter?
CVE-2026-0300 is a critical out-of-bounds write vulnerability in the PAN-OS User-ID Authentication Portal. It matters because it allows unauthenticated attackers to gain root-level control over PA-Series and VM-Series firewalls by sending crafted packets, effectively bypassing all security controls.
Which versions of PAN-OS are affected by this vulnerability?
The vulnerability affects PAN-OS versions 12.1.0, 11.2.0, 11.1.0, and 10.2.0. Organizations should verify their specific firmware versions on PA-Series and VM-Series hardware to determine their exposure levels immediately.
Has an official patch been released for CVE-2026-0300?
Yes, Palo Alto Networks has provided official remediations. Administrators should visit the vendor's security portal at https://security.paloaltonetworks.com/CVE-2026-0300 to download and apply the necessary updates for their specific hardware and software configurations.
What is the remediation deadline and how does it impact compliance?
The remediation deadline is 2026-05-09. This date is critical for compliance with CISA BOD 22-01, which mandates that federal agencies and associated contractors secure known exploited vulnerabilities within a strict timeframe to prevent national security risks.
How can I check if my deployment is affected?
Teams can check if they are affected by auditing their firewall configurations for the use of the User-ID Authentication Portal (Captive Portal) service. If this service is enabled on external-facing zones or PA-Series/VM-Series appliances, the instance is likely vulnerable.
CVE-2026-0300 is a critical vulnerability (CVSS 9.3) involving an out-of-bounds write in Palo Alto Networks PAN-OS software. This flaw allows unauthenticated attackers to achieve full remote code execution (RCE) with root privileges on PA-Series and VM-Series firewalls. Immediate action is required before the remediation deadline of 2026-05-09 to mitigate active exploitation risks.
Vulnerability Profile Table
Field
Details
CVE ID
CVE-2026-0300
Affected Product & Versions
PAN-OS 12.1.0, 11.2.0, 11.1.0, 10.2.0 (PA-Series and VM-Series)
Understanding CVE-2026-0300: The Critical Vulnerability
CVE-2026-0300 represents a tier-one threat to network infrastructure. As a critical out-of-bounds write vulnerability located within the PAN-OS User-ID™ Authentication Portal, also known as the Captive Portal, it bypasses traditional authentication requirements entirely. This vulnerability is not merely a service disruption; it is a gateway to full device compromise. In the ecosystem of Palo Alto Networks, the firewall is the central point of trust. When this trust is compromised via an unauthenticated, network-based attack, the entire internal network architecture is at risk.
The urgency of this advisory is underscored by the 72-hour remediation window. Disclosed on May 6 and requiring a fix by May 9, the timeline reflects a state of active exploitation. Attackers are currently leveraging this flaw to penetrate perimeter defenses, necessitating a rapid and structured defensive response from security operations centers (SOCs) globally.
Technical Deep Dive: CWE-787 and the Captive Portal Attack Vector
The technical core of this vulnerability is CWE-787: Out-of-bounds Write. This class of software weakness occurs when a program writes data past the end of the intended buffer, often leading to memory corruption, system crashes, or—as in the case of CVE-2026-0300—arbitrary code execution.
Anatomy of an Out-of-bounds Write
In the context of the PAN-OS User-ID Authentication Portal, the flaw resides in how the service processes specially crafted network packets. When a user (or in this case, an attacker) interacts with the Captive Portal, the system expects specific data structures. By sending malformed packets that exceed expected length or format, an attacker can force the system to write data into adjacent memory locations.
Because the Captive Portal service often runs with high-level system permissions to manage network traffic and user authentication, corrupting its memory allows an attacker to inject and execute their own instructions. Specifically, this vulnerability grants root privileges. On a PA-Series or VM-Series appliance, root access allows an attacker to:
Intercept and decrypt transit traffic.
Modify firewall rules to allow further lateral movement.
Install persistent backdoors or rootkits.
Exfiltrate sensitive configuration data, including VPN credentials and internal routing tables.
The attack surface is particularly broad because the User-ID Authentication Portal is frequently exposed to provide web-based authentication for users in guest networks or restricted zones. Any network path that can reach the portal interface is a potential vector for exploitation.
Impact Assessment: PA-Series and VM-Series Firewalls
The blast radius of CVE-2026-0300 is limited to the PA-Series (hardware) and VM-Series (virtualized) firewall platforms. These are the workhorses of the Palo Alto Networks ecosystem, deployed in data centers, edge environments, and cloud infrastructures.
A successful exploit on these platforms results in a "total" technical impact. This means the confidentiality, integrity, and availability of the device are completely compromised. It is important to note that Prisma Access, Cloud NGFW, and Panorama appliances are not impacted, which suggests the vulnerable code is specific to the local User-ID service implementation found on the firewall units themselves.
Who Is Affected: Organizations at Risk
Any organization running PAN-OS versions 12.1.0, 11.2.0, 11.1.0, or 10.2.0 on physical or virtual firewalls is potentially affected. High-risk profiles include:
Enterprises utilizing Captive Portals for internal user identification.
Service providers managing multi-tenant VM-Series deployments.
Government agencies and contractors subject to federal security mandates.
Compliance and Deadlines: CISA BOD 22-01 Requirements
Due to the active exploitation status, CVE-2026-0300 has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog. Under Binding Operational Directive (BOD) 22-01, Federal Civilian Executive Branch (FCEB) agencies are required to remediate this vulnerability by the May 9, 2026 deadline. While BOD 22-01 specifically applies to federal agencies, it serves as a critical benchmark for private sector organizations. Failure to patch within this window significantly increases the statistical likelihood of a successful breach as automated scanning and exploitation tools proliferate.
Official Remediation and Patching Strategy
The primary remediation for CVE-2026-0300 is the application of the official security updates provided by Palo Alto Networks.
Identify Vulnerable Assets: Use Panorama or individual device managers to audit PAN-OS versions across the fleet. Prioritize devices where the User-ID Authentication Portal is enabled.
Obtain Patches: Navigate to the Palo Alto Networks Security Portal to identify the specific maintenance release for your software branch (e.g., updates for 10.2, 11.1, etc.).
Deploy Updates: Follow standard change management procedures to apply the updates. Given the root-level risk, emergency maintenance windows are advised.
Immediate Mitigations and Workarounds
If immediate patching is not possible, the following workarounds must be implemented to reduce the attack surface:
Restrict Access: Modify security policies to ensure that the User-ID Authentication Portal is only accessible from trusted, internal IP addresses. Do not allow access from the untrusted/internet zone.
Disable the Service: If the Captive Portal functionality is not strictly required for business operations, disable the User-ID Authentication Portal entirely until a patch can be applied.
To defend against CWE-787 and similar memory corruption vulnerabilities in the future, organizations should adopt the following defensive posture:
Micro-Segmentation: Isolate the Captive Portal service to specific zones and restrict which user segments can communicate with it.
Zero Trust Implementation: Do not rely on a single firewall for all security. Use internal host-based protection and identity-based access controls to limit the blast radius if an appliance is compromised.
Aggressive Ingress Filtering: Use GlobalProtect and other VPN services with multi-factor authentication (MFA) to ensure that only authenticated users can reach sensitive network services.
Enhanced Logging and Monitoring: Enable detailed logging for the Captive Portal service and monitor for unusual crashes or restarts, which may indicate failed exploitation attempts.
Vulnerability Management Automation: Implement tools that automatically alert on CISA KEV updates to reduce the time between disclosure and remediation.