Palo Alto Networks has warned that CVE-2026-0300, a critical PAN-OS buffer overflow, is already being exploited against exposed User-ID Authentication Portal deployments. The flaw sits in the User-ID Authentication Portal, also known as Captive Portal, and can let an unauthenticated attacker run code as root on affected PA-Series and VM-Series firewalls.
The useful question is not only whether a firewall runs a vulnerable PAN-OS branch. The urgent question is whether the portal is actually reachable from an untrusted path. Palo Alto says exposure requires two things at the same time: User-ID Authentication Portal must be enabled, and an interface management profile with Response Pages enabled must be attached to an external or internet-accessible Layer 3 interface. That distinction helps separate appliances that need scheduled patch tracking from appliances that need a configuration change immediately.
Root execution on a firewall is different from compromise of an ordinary server. A perimeter device can hold routing context, security policy, authentication flows, VPN-adjacent visibility, and logs that defenders depend on. Even if the attacker does not automatically gain access to every internal system, control of the firewall can become a privileged foothold for traffic manipulation, further reconnaissance, or hiding follow-on activity.
Affected branches include PAN-OS 12.1, 11.2, 11.1, and 10.2 when the vulnerable configuration is present. Prisma Access, Cloud NGFW, and Panorama appliances are not affected by this CVE. Palo Alto lists fixes across multiple release trains, with staged ETAs beginning May 13, 2026, so teams should map each firewall to its exact branch instead of waiting for a single universal patch date.
This is part of a larger pattern: edge security appliances are being treated as high-value access brokers. Gridinsoft previously covered a previously exploited PAN-OS command injection flaw and a separate Palo Alto Expedition exploitation warning. The common lesson is that “security infrastructure” still needs the same exposure review as any internet-facing application.
Exposure triage before patches land
Start with configuration, not the CVSS score. Check Device > User Identification > Authentication Portal Settings to confirm whether Authentication Portal is enabled. Then check Network > Interface > Advanced > Management Interface Profile on interfaces that can receive untrusted traffic. If Response Pages are enabled there, the safer interim move is to remove that exposure: restrict the portal to trusted internal zones and disable Response Pages on untrusted Layer 3 interfaces.
For appliances that were reachable from the internet, treat the change as incident triage rather than simple hardening. Preserve relevant traffic, system, and configuration logs before rotating too much state; review unusual portal hits and configuration changes; and prioritize upgrades by branch as the fixed builds become available. If the portal was never exposed to untrusted traffic, the patch still matters, but the immediate risk profile is materially lower than for an exposed Captive Portal.
References
- Palo Alto Networks Security Advisory. CVE-2026-0300 PAN-OS User-ID Authentication Portal buffer overflow. Published May 5, 2026; updated May 6, 2026. Advisory.
Update: Palo Alto Networks later confirmed exploitation of a separate GlobalProtect authentication bypass, PAN-OS CVE-2026-0257, so exposed VPN portals should be checked for both patch level and suspicious sessions.
