Palo Alto Networks said on Wednesday that a critical buffer overflow flaw in its PAN-OS software is being exploited in the wild, with the issue affecting PA-Series and VM-Series firewalls that use the User-ID Authentication Portal. The vulnerability, tracked as CVE-2026-0300, carries a CVSS score of 9.3 when the portal is exposed to the internet or other untrusted networks.
KEY FACTS
- Impact unauthenticated attackers can execute arbitrary code with root privileges.
- Target PA-Series and VM-Series firewalls with the User-ID Authentication Portal enabled.
- Status Palo Alto Networks said exploitation has been limited and focused on publicly accessible portals.
- Fix patches are planned to start on May 13, 2026.
The advisory said the flaw can be triggered by specially crafted packets sent to the portal service. The company said the severity falls to 8.7 when access is limited to trusted internal IP addresses.
Impact spans PAN-OS 12.1, 11.2, 11.1 and 10.2 releases before the fixed versions listed in the disclosure. The report said customers who restrict sensitive portals to internal networks face a greatly reduced risk.
In the absence of a patch, the company advised administrators to restrict User-ID Authentication Portal access to trusted zones or disable it entirely if the service is not needed. The issue is described as unpatched for now.
WHY IT MATTERS
The flaw could give attackers full control of exposed firewalls, which can place network traffic and internal systems at risk. Organizations that leave the portal open to untrusted networks have the highest exposure until updates are released.