Critical Unauthenticated Buffer Overflow in Palo Alto Networks PAN-OS User-ID Authentication Portal (CVE-2026-0300)
Palo Alto Networks has disclosed a critical unauthenticated buffer overflow vulnerability (CVE-2026-0300, CVSS 9.3) in the PAN-OS User-ID Authentication Portal that is already being exploited in the wild by a state-sponsored threat cluster.
Palo Alto Networks disclosed a critical unauthenticated buffer overflow vulnerability on May 6, 2026, tracked as CVE-2026-0300, affecting the User-ID Authentication Portal (also known as Captive Portal) in PAN-OS. The vulnerability carries a CVSSv4 score of 9.3 and allows an unauthenticated remote attacker to achieve arbitrary code execution with root privileges on affected PA-Series and VM-Series firewall appliances. Prisma Access, Cloud NGFW, and Panorama appliances are not affected.
The flaw is a buffer overflow (CWE-787) in the User-ID Authentication Portal, a non-default PAN-OS feature that maps IP addresses to usernames. An attacker can exploit the vulnerability by sending specially crafted packets to a device with the Authentication Portal enabled, requiring no authentication or user interaction. Palo Alto Networks has confirmed limited exploitation in the wild targeting Authentication Portals exposed to untrusted IP addresses or the public internet.
Palo Alto Networks Unit 42 attributed the observed exploitation to CL-STA-1132, a likely state-sponsored threat cluster. Following initial compromise, the threat actors deployed open-source tunneling tools and conducted Active Directory enumeration, indicating a sophisticated espionage or lateral movement campaign. On May 6, 2026, CISA added CVE-2026-0300 to its Known Exploited Vulnerabilities (KEV) catalog based on evidence of active exploitation.
PAN-OS is among the most widely deployed enterprise firewall operating systems globally. Shodan identifies approximately 225,000 internet-facing PAN-OS instances, representing a significant attack surface. Organizations running affected versions with the User-ID Authentication Portal enabled are at immediate risk and should apply available workarounds without delay.
Patches began rolling out on May 13, 2026, with additional releases scheduled through May 28, 2026. Affected versions include PAN-OS 12.1 (below 12.1.4-h5), 11.2 (multiple branches), 11.1 (multiple branches), and 10.2 (multiple branches). Fixed versions are listed in the vendor advisory. Until patches are fully available, Palo Alto Networks recommends restricting User-ID Authentication Portal access to trusted internal zones or disabling the feature entirely if not required.
Rapid7 strongly urges all organizations running affected PAN-OS versions with the User-ID Authentication Portal enabled to apply the recommended workarounds immediately and prioritize patching as soon as fixed versions become available. Rapid7 customers can assess exposure using authenticated vulnerability checks available in the May 6, 2026 content release.
This vulnerability underscores the critical risk posed by non-default features exposed to untrusted networks, particularly in widely deployed infrastructure appliances. The confirmed state-sponsored exploitation and CISA KEV inclusion elevate CVE-2026-0300 to a top-priority patching event for enterprise security teams.
CISA has now published an advisory confirming that Siemens RUGGEDCOM APE1808 devices are also affected by CVE-2026-0300 because they incorporate the vulnerable PAN-OS software. Siemens recommends disabling Response Pages and the User-ID Authentication Portal, restricting access to trusted IPs, and contacting support for patches, as fix versions are still being prepared.