CVE Advisories 9 min read

CVE-2026-0300: Palo Alto PAN-OS Captive Portal Buffer Overflow (Active Zero-Day)

RG

Rodrigo Garcia

· Updated May 11, 2026

Updated May 11, 2026. NVD has completed analysis and assigned a CVSS v3.1 score of 9.8 Critical alongside Palo Alto’s CNA CVSS v4 9.3. EPSS scoring is now available, placing the CVE at the 90th percentile (5.29% probability).

What Is CVE-2026-0300?

CVE-2026-0300 is a buffer overflow in the User-ID Authentication Portal, the service better known as the PAN-OS Captive Portal, that lets an unauthenticated remote attacker execute arbitrary code with root privileges on Palo Alto Networks PA-Series and VM-Series firewalls. The exploit is a network packet. There is no credential to steal, no link to click, no operator action required.

The Authentication Portal is the in-line web component PAN-OS exposes when an organization wants its firewall to identify users by browser challenge instead of by AD agent or terminal-services agent. It is commonly enabled where firewalls front internet-facing user populations, and it is exactly the kind of feature that is left turned on after a pilot and forgotten. The portal listens on the L3 interface where Response Pages are enabled, and any zone in which a malicious sender can reach that interface is reachable for this exploit.

The weakness is classified as CWE-787: Out-of-bounds Write. Palo Alto’s advisory marks the issue at the highest urgency tier (“Red”) and reports the exploitation status as Attacked, the CVSS v4 value reserved for vulnerabilities with confirmed in-the-wild abuse. The vendor’s own description of the activity is “limited exploitation has been observed targeting Palo Alto Networks User-ID Authentication Portals that are exposed to untrusted IP addresses and/or the public internet.” CISA added CVE-2026-0300 to the Known Exploited Vulnerabilities catalog the day after disclosure with a three-day remediation deadline.

Prisma Access, Cloud NGFW, and Panorama are not affected. This is a PAN-OS firewall issue specifically.

9.3 CVSS
critical
Attack Vector
Network
Complexity
Low
Privileges
None
User Interaction
None
EPSS
5.3%
EPSS Rank
90th %ile
KEV Listed
Yes
Affected
PAN-OS PA-Series and VM-Series firewalls
Sources
NVD
MITRE
EPSS
KEV

How Serious Is It?

CVSS Score

Palo Alto’s PSIRT scored CVE-2026-0300 at 9.3 Critical on the CVSS v4.0 scale. NVD has since completed analysis and scored the issue 9.8 Critical on CVSS v3.1, with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The two scores tell a consistent story; the difference comes from CVSS v4 weighing scope and threat intelligence signals differently than CVSS v3. Both feeds agree the vulnerability is network-reachable, unauthenticated, and yields full Confidentiality, Integrity, and Availability impact.

The vector decomposes to a worst-case scenario for a network-edge device:

  • Attack Vector: Network. The exploit travels over the same network the firewall is filtering.
  • Attack Complexity: Low. No race condition, no preconfiguration, no authentication requirement to bypass.
  • Privileges Required: None. The portal is reachable before any user is authenticated.
  • User Interaction: None. No phishing or click-through required.
  • Confidentiality, Integrity, Availability impact: High. Code executes as root on the firewall data plane.
  • Exploitation: A (Attacked). The CVSS v4 environmental signal that the vendor has observed real exploitation. This is the upgrade path that pushes the v4 score from 9.0 to 9.3.

Full vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A.

4.0
7.0
9.0
0 10

Exploitation Probability

EPSS has scored CVE-2026-0300 at 5.29% probability, 90th percentile. The raw 5.29 percent represents EPSS’s estimate of in-the-wild exploitation within the next 30 days; the percentile says this CVE ranks higher than 90 percent of all scored CVEs. EPSS modeling typically lags initial disclosure by a few days, and the percentile will likely climb further as scanning activity and PoC publication signals accumulate. The SSVC exploitation status is already active and CISA’s KEV deadline has come and gone, so the “is this being exploited?” question was answered before EPSS caught up; treat the EPSS number as confirmation rather than as new information.

90 PERCENTILE
EPSS Score
5.29% probability

of exploitation in the next 30 days. Ranks higher than 90% of all scored CVEs.

Active Exploitation

CVE-2026-0300 is in the CISA Known Exploited Vulnerabilities catalog, added on May 6, 2026 with a remediation deadline of May 9, 2026. CISA’s KEV entry, titled “Palo Alto Networks PAN-OS Out-of-bounds Write Vulnerability”, describes the same primitive: unauthenticated code execution as root via specially crafted packets to the User-ID Authentication Portal.

CISA Known Exploited Vulnerability

This vulnerability is actively exploited in the wild. Federal agencies must remediate by the due date below.

Added to catalog
May 6, 2026
Remediation due
May 9, 2026
federal agency deadline
Required action
Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Until the vendor releases an official fix, restrict User-ID Authentication Portal access to only trusted zones, or disable the User-ID Authentication Portal if not required.

SSVC assessment from the CISA ADP enrichment:

  • Exploitation: active (confirmed in-the-wild)
  • Technical Impact: total (root on the firewall data plane)
  • Provider Urgency: Red (Palo Alto’s highest tier)

Public PoC code has not been confirmed at the time of writing. Searches against ExploitDB, the major PoC-aggregation GitHub repos, and the usual rapid-reaction publishers (watchTowr, Horizon3, Project Discovery) returned no weaponized code for CVE-2026-0300. Given the simplicity of the primitive (an unauthenticated network packet that triggers an out-of-bounds write) and the public availability of the vendor advisory, treat the absence of a public exploit as a 24-to-72-hour window, not a defensive posture.

For internet exposure context, the Shadowserver Foundation tracks roughly 5,800 PAN-OS VM-Series firewalls reachable from the public internet (about 2,466 in Asia and 1,998 in North America). That is the broader VM-Series surface, not Captive-Portal-specific; the population of firewalls actually exposing the User-ID Authentication Portal to untrusted networks is a subset of this number, and it is the population the vendor is describing as “limited” but real.

Who Is Affected?

The vulnerability affects PAN-OS releases across four supported branches. Patched versions and the affected ranges are:

BranchAffected RangeFixed In
12.112.1.2 - 12.1.612.1.7
11.211.2.0 - 11.2.1111.2.12
11.111.1.0 - 11.1.1411.1.15
10.210.2.0 - 10.2.18-h510.2.18-h6

The form factor matters. Affected: PA-Series hardware appliances and VM-Series virtual firewalls. Not affected: Prisma Access, Cloud NGFW, and Panorama management appliances. If your edge is a managed cloud firewall service, this CVE does not apply to it. If your edge is a PA-7080 or a VM-300 in a hyperscaler, it does.

Exposure depends on whether the User-ID Authentication Portal is enabled on an L3 interface that an attacker can reach. The portal is only reachable on interfaces where Response Pages are enabled in the Interface Management Profile, which makes the Response Pages setting the practical attack-surface boundary.

What Should You Do?

Patches and Updates

Upgrade to a fixed PAN-OS version on the corresponding release branch:

  • 12.1.x branch: upgrade to 12.1.7 or later
  • 11.2.x branch: upgrade to 11.2.12 or later
  • 11.1.x branch: upgrade to 11.1.15 or later
  • 10.2.x branch: upgrade to 10.2.18-h6 or later

Palo Alto is releasing the fixed builds in a staged rollout that begins May 13, 2026. The advisory lists the target fixed versions above, but not every branch has a downloadable build available immediately at disclosure. Check the vendor advisory page for the current per-branch availability before scheduling your maintenance window.

Palo Alto’s full advisory, including download links and per-platform notes, is at security.paloaltonetworks.com/CVE-2026-0300. Treat the federal KEV deadline of May 9, 2026 as a baseline, not a target. If a firewall is internet-facing and runs an affected version of PAN-OS with the Authentication Portal enabled and a downloadable patched build is not yet available for that branch, apply the access-restriction workaround below as the immediate action and patch as soon as the fixed build lands.

Workarounds

Two vendor-provided mitigations reduce risk if you cannot patch immediately. They are partial. Patching is the only complete fix.

  1. Restrict the Authentication Portal to trusted zones. Edit the Interface Management Profile attached to every L3 interface in any zone where untrusted or internet traffic can ingress, and disable Response Pages on those profiles. Keep Response Pages enabled only on profiles attached to interfaces in trust or internal zones where legitimate users’ browsers ingress. This removes the network path to the portal from untrusted networks.
  2. Disable the Authentication Portal entirely. If your environment does not rely on Captive Portal user identification (most do not, having moved to AD agent or User-ID agent), turn the feature off until you have patched.

Customers with a Threat Prevention subscription can also block exploitation attempts at the IPS layer by enabling Threat ID 510019, available in Applications and Threats content version 9097-10022. The detection requires PAN-OS 11.1 or later for the decoder support; PAN-OS 10.2 customers do not get the IPS coverage and must rely on patching or the access-restriction workaround.

Detection and Visibility

Three things you need to know in the first hour:

  1. Which firewalls in your environment are PA-Series or VM-Series running an affected PAN-OS version.
  2. Of those, which have the User-ID Authentication Portal enabled, and on which interfaces.
  3. Whether any of those interfaces are reachable from an untrusted zone.

The first question is often the slowest one to answer in practice. Firewall inventories live in Panorama, in vulnerability scanners, in CMDB exports that are months out of date, and in the heads of network engineers. An asset inventory that pulls from Panorama, your vulnerability scanner, your CMDB, and your cloud accounts gives you a single answer instead of three different ones. Koopic connects to those tools and surfaces, in minutes, exactly which firewalls are running affected PAN-OS versions and where they sit in your network.

For runtime detection, watch firewall logs for unexpected crashes of the Authentication Portal process and for traffic to the portal listener from zones that should not legitimately reach it. Threat ID 510019 logs in Threat Prevention will surface exploitation attempts on PAN-OS 11.1+ once content version 9097-10022 is installed.

Timeline

May 13, 2026 patch

Staged release of fixed PAN-OS builds begins

May 11, 2026 nvd

EPSS scored at 90th percentile (5.29% probability)

May 9, 2026 kev

CISA KEV remediation deadline

May 7, 2026 nvd

NVD completes analysis (CVSS v3.1 9.8 Critical, status: Analyzed)

May 6, 2026 kev

CISA adds to KEV catalog (3-day deadline)

May 6, 2026 exploit

CISA ADP confirms active exploitation, Provider Urgency Red

May 5, 2026 disclosure

Palo Alto publishes advisory; vendor reports limited in-the-wild exploitation

May 5, 2026 disclosure

MITRE publishes CVE record (NVD status: Received)

References

Data Sources
NVD
MITRE
EPSS
KEV

See it on your data

Work with us as a design partner - we'll show you how risk-based prioritization works on your actual environment.

See it on your data