Palo Alto PAN-OS Zero-Day CVE-2026-0300: No-Auth RCE, Patch Now

Palo Alto Networks began rolling out patches today (May 13, 2026) for CVE-2026-0300, a CVSS 9.3 unauthenticated remote code execution vulnerability in PAN-OS that has been actively exploited since at least May 6, when CISA added it to the Known Exploited Vulnerabilities catalog. The full patch window runs through May 28 — your org may not receive the update automatically until later this month, depending on your PAN-OS release track and support tier.

CVE-2026-0300 requires no credentials. An attacker who can reach your firewall's User-ID Authentication Portal (Captive Portal) over the network can trigger the vulnerability with a single crafted packet sequence. The result is root-level code execution on the firewall itself.

What the Vulnerability Does

CVE-2026-0300 is a buffer overflow in the User-ID Authentication Portal service — the component PAN-OS uses to serve Captive Portal login pages for user identity mapping. The service runs on the management plane of PA-Series hardware and VM-Series virtual firewalls.

A specially crafted HTTP request to the Captive Portal endpoint overflows a fixed-size buffer in the authentication handler. The overflow overwrites adjacent memory including a function return address. With a carefully structured payload, the attacker controls the instruction pointer and achieves code execution in the context of the authentication portal service process, which runs with root privileges.

No prior authentication is required. No user interaction is required. The attacker needs network access to the Captive Portal port on an affected interface.

Affected Products

• PA-Series hardware firewalls: All models running PAN-OS 11.x and 10.2.x with User-ID Authentication Portal enabled
• VM-Series virtual firewalls: Same PAN-OS version scope
• CN-Series (container firewalls): Affected on the same PAN-OS versions

Not affected:

• Prisma Access (cloud-managed; Palo Alto patched the backend without customer action required)
• Cloud NGFW (managed service; same)
• Panorama management servers (not a Captive Portal host)
• PA-Series and VM-Series with Captive Portal disabled (mitigation path — details below)

Check your PAN-OS version: from the CLI, run show system info | match sw-version. Patched versions are being released on the 11.1, 11.0, and 10.2 branches starting today.

Active Exploitation: What Attackers Are Doing

CISA added CVE-2026-0300 to KEV on May 6, citing "limited but confirmed exploitation." The exploitation profile from Rapid7 and Palo Alto Unit 42's threat intelligence:

The initial exploitation wave was opportunistic scanning — automated tools probing for internet-exposed Captive Portal endpoints and attempting the buffer overflow. The payloads observed were simple reverse shell drops, not sophisticated post-exploitation frameworks. This suggests a lower-sophistication actor or an initial access broker running at scale.

The concern is what comes second. Once CVE-2026-0300 is confirmed to produce reliable root access on PA-Series firewalls, more sophisticated actors will follow. A compromised edge firewall is a high-value pivot point: the attacker controls your traffic inspection, your NAT rules, your VPN termination, and your syslog output. The second-stage exploitation from this initial access is often months later, after the initial scanner moves on and a buyer picks up the shell.

Immediate Workaround (Before Patch)

If you cannot patch before your update window arrives, the workaround is to restrict User-ID Authentication Portal access to trusted internal zones only, removing it from any internet-facing interface.

In Panorama or the local firewall GUI: navigate to Device > User Identification > User-ID Agent Setup. For each external-facing interface, ensure that "Response Pages" is disabled in the Interface Management Profile associated with that interface. This prevents the Captive Portal service from responding to requests on external interfaces.

The CLI equivalent:

set deviceconfig system captive-portal disabled — this disables the service globally if User-ID Captive Portal is not required for your deployment.

If you use Captive Portal for internal user identity mapping (common in campus and large enterprise deployments), restricting to the internal zone still protects the external-facing attack surface while preserving the functionality.

The Patch Timeline

Palo Alto's phased release schedule:

• May 13: PAN-OS 11.1.x and 10.2.x initial patch packages available via the Customer Support Portal
• May 16-18: Auto-update content packages push for customers on Panorama-managed auto-update
• May 21-28: Extended rollout for legacy maintenance releases

If you are on a major release older than 10.2 (e.g., PAN-OS 9.x or 10.0.x), you are in an unsupported release. Palo Alto is not providing a backport patch for end-of-life releases. You need to upgrade to a supported release to receive the fix.

For customers with critical production firewalls that cannot be rebooted immediately for the patch: the workaround above (restricting Captive Portal to internal interfaces) provides protection while you schedule the maintenance window.

Why This Pattern Keeps Appearing

Palo Alto Networks disclosed CVE-2025-0108 (another PAN-OS management interface authentication bypass) in February 2025 and CVE-2024-3400 (a PAN-OS command injection with an active exploitation window of 14 days before patching) in April 2024. Three critical PAN-OS vulnerabilities in roughly 14 months, all involving network-accessible management or authentication services.

The pattern reflects a fundamental challenge in network security appliance security: the management and authentication services of a firewall must be accessible to do their job, which makes them attack surface. PAN-OS is under continuous scrutiny because PA-Series firewalls are the dominant choice for enterprise network perimeters. They are also high-value targets — owning the firewall is owning the perimeter.

The lesson for organisations: internet-facing management interfaces and authentication portals on security appliances should be behind additional access controls (jump hosts, out-of-band management networks, IP allowlists) even when the appliance vendor says they are secure. Defense-in-depth around the security appliance itself is not optional.

Key Takeaways

• CVE-2026-0300: PAN-OS CVSS 9.3 unauthenticated RCE; buffer overflow in User-ID Authentication Portal; affects PA-Series, VM-Series, CN-Series on PAN-OS 11.x and 10.2.x; CISA KEV since May 6
• Patch available today: PAN-OS 11.1.x and 10.2.x patches released May 13; full rollout through May 28; Prisma Access and Cloud NGFW already patched by Palo Alto
• Workaround: Disable Captive Portal on internet-facing interfaces; restrict to trusted zones; set deviceconfig system captive-portal disabled if not needed
• Exploitation profile: Opportunistic scanning wave observed; initial access broker activity likely; high-value pivot: firewall owner controls NAT, VPN termination, traffic inspection, syslog
• End-of-life releases: PAN-OS 9.x and 10.0.x receive no backport; upgrade required
• Pattern: Third critical PAN-OS vulnerability in 14 months — management and auth services on internet-facing firewalls need additional access controls beyond vendor patch cadence

For the BeyondTrust PAM layer RCE that is also being actively exploited, read CVE-2026-1731: BeyondTrust Pre-Auth RCE, VShell and SparkRAT Deployed. For the ConnectWise ScreenConnect RCE context, read CVE-2026-32202: ConnectWise ScreenConnect RCE — CISA KEV.