Palo Alto PAN-OS CVE-2026-0300 Attacked via Captive Portal

Executive Summary

Palo Alto Networks disclosed CVE-2026-0300 on May 5, 2026, a critical buffer overflow vulnerability in the User-ID Authentication Portal, also known as Captive Portal, in PAN-OS. The company says an unauthenticated attacker can send specially crafted packets to execute arbitrary code with root privileges on affected PA-Series and VM-Series firewalls.

This is not only a theoretical exposure. Palo Alto Networks marked exploit maturity as "ATTACKED" and said limited exploitation has been observed against User-ID Authentication Portals exposed to untrusted IP addresses or the public internet. The advisory assigns a CVSS 4.0 score of 9.3 and rates the suggested urgency as highest.

The patch timing is the key operational detail. Palo Alto says the issue will be fixed in upcoming PAN-OS releases, with the first listed fixed builds scheduled for May 13, 2026, and additional branches scheduled for May 28, 2026. Until the relevant build is available and installed, the practical mitigation is to disable User-ID Authentication Portal if it is not required, or restrict it to trusted internal zones only.

Prisma Access, Cloud NGFW, and Panorama appliances are not impacted. Exposure is limited to PA-Series and VM-Series firewalls configured to use User-ID Authentication Portal.

Technical Analysis

CVE-2026-0300 is an out-of-bounds write issue, mapped by Palo Alto Networks to CWE-787. Because the vulnerable service can be reached over the network and exploitation requires no authentication or user interaction, internet-facing portals represent the highest-risk deployment pattern.

The vulnerable component is the User-ID Authentication Portal service. In typical deployments, this portal helps identify users for policy enforcement when the firewall needs explicit authentication. Palo Alto Networks says the issue applies only when the portal is enabled, which administrators can check under Device > User Identification > Authentication Portal Settings > Enable Authentication Portal.

The affected PAN-OS release trains are 12.1, 11.2, 11.1, and 10.2. Palo Alto's advisory lists multiple affected maintenance branches, with fixed builds planned across May 13 and May 28, 2026. As of May 6, 2026, the most important operational point is that the vendor's table lists upcoming fixed releases rather than a simple "upgrade now" version for every supported branch. Teams should not wait passively for the patch window if the portal is reachable from an untrusted network.

Affected version ranges include:

• PAN-OS 12.1 versions before 12.1.4-h5 and before 12.1.7.
• PAN-OS 11.2 versions before 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12.
• PAN-OS 11.1 versions before 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15.
• PAN-OS 10.2 versions before 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6.

Palo Alto Networks also notes that Threat Prevention signatures would be made available to customers running PAN-OS 11.1 and later by May 5, 2026. That control should be treated as defense-in-depth, not a substitute for removing public exposure or applying fixed PAN-OS versions when they become available.

Mitigations & Recommendations

Organizations should first determine whether User-ID Authentication Portal is enabled on any PA-Series or VM-Series firewall. If it is enabled, identify whether the portal is reachable from the public internet, partner networks, guest networks, or any other untrusted zone.

Priority actions:

• Disable User-ID Authentication Portal if the feature is not required. This is the cleanest immediate mitigation while fixed PAN-OS releases are still pending.
• If the feature must remain enabled, restrict User-ID Authentication Portal access to trusted internal IP addresses and trusted zones only.
• Review firewall and upstream logs for unexpected traffic to the portal from untrusted sources.
• Apply Palo Alto Threat Prevention signatures on PAN-OS 11.1 and later where available.
• Track the vendor advisory for the fixed PAN-OS builds scheduled across May 2026 and plan emergency maintenance once the relevant branch is released.

Because limited exploitation has already been observed, any internet-exposed portal should be treated as high risk. Security teams should check for unusual administrative activity, new or modified accounts, unexpected configuration changes, and signs of post-exploitation activity on adjacent systems.