|

CVE-2026-0300: Palo Alto PAN-OS Buffer Overflow Under Active Exploitation — What Security Teams Must Do Now

ByInnoVirtuoso

If your Palo Alto Networks firewalls run PAN-OS and you’ve ever enabled the User-ID Authentication Portal, your window to act is now. A critical buffer overflow flaw, tracked as CVE-2026-0300, is being exploited in the wild. The good news: the scope is narrower than a blanket “all PAN-OS” alert. The bad news: if the portal is exposed to the internet on impacted versions, attackers can gain unauthenticated remote code execution. In other words, they can take over the firewall.

Here’s what you need to know and exactly what to do next.

What Happened

Palo Alto Networks issued an advisory for a critical buffer overflow in PAN-OS affecting PA-Series and VM-Series firewalls that have the User-ID Authentication Portal enabled. The flaw (CVE-2026-0300) allows unauthenticated remote code execution (RCE) when the portal is reachable from the internet or other untrusted networks.

  • Severity: CVSS 9.3 if the User-ID Authentication Portal is internet-accessible; CVSS 8.7 if access is restricted to trusted internal IPs only.
  • Affected families: PA-Series and VM-Series running specific PAN-OS 10.2 releases (see versions below).
  • Exploitation: Confirmed in the wild.
  • Patches: Rolling out starting May 13, 2026.
  • Mitigations now: Restrict access to the portal to trusted zones only or disable it entirely if you don’t need it.

Source coverage: The Hacker News report

Official resources: – Palo Alto Networks Security Advisories: https://security.paloaltonetworks.com – PAN-OS User-ID Authentication Portal documentation (10.2): https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/user-id/authentication-portal – CISA Known Exploited Vulnerabilities Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog

Why This Vulnerability Matters

Firewalls protect your most sensitive assets and serve as a bridge between networks. An RCE on a perimeter firewall can:

  • Give attackers a beachhead with privileged network positioning.
  • Enable traffic interception, rule manipulation, or stealthy persistence.
  • Bypass segmentation, VPN entry points, and monitoring.
  • Facilitate lateral movement into high-value internal systems.

With active exploitation confirmed, this is not a theoretical risk. Any internet-exposed Authentication Portal on vulnerable versions should be treated as a likely target.

Who Is Affected

This is not a blanket PAN-OS management interface bug. It specifically impacts deployments where the User-ID Authentication Portal is enabled.

You are affected if: – You operate PA-Series or VM-Series firewalls running impacted PAN-OS 10.2 releases (see below), and – The User-ID Authentication Portal is enabled, and – The portal is reachable from the internet or an untrusted network (highest risk), or – The portal is enabled and reachable from trusted internal IPs only (reduced but still serious risk).

You are likely not affected if: – The User-ID Authentication Portal is disabled, or – You run fixed patch levels or later, and – You have no policy path that makes the portal reachable from untrusted sources.

Affected Versions (PAN-OS 10.2)

Vulnerable: PAN-OS 10.2 releases prior to the following patched levels: – 10.2.7-h34 – 10.2.10-h36 – 10.2.13-h21 – 10.2.16-h7 – 10.2.18-h6

If you are running any 10.2.x release older than these hotfix levels, you are in scope. Plan to update to at least the listed hotfix or a newer maintenance release once available for your train.

Note: Only PA-Series and VM-Series with the User-ID Authentication Portal configured are impacted by this specific vulnerability.

Exposure Scenarios

  • High risk (CVSS 9.3): Authentication Portal reachable from the internet or untrusted networks. Attackers do not need credentials.
  • Elevated risk (CVSS 8.7): Portal restricted to trusted internal IP addresses. Reduced exposure, but compromise of an internal host could put the firewall at risk.

Quick Triage: How To Tell If You’re Exposed

Do this immediately:

  • Confirm whether the User-ID Authentication Portal is enabled.
  • Determine whether it is accessible from the internet or untrusted networks.
  • Identify which PAN-OS version and hotfix you’re on.

High-level checks you can perform: – Review your firewall configuration for Authentication Portal settings and corresponding policies. In many deployments, this is part of User-ID configuration and associated “Authentication” policy rules. – Validate which interfaces/zones and address objects can reach the portal. Confirm external NATs and VIPs that might publish it. – Examine upstream/load balancer configs for any mappings to the portal. – Use an external scanner or simply test from a clean external network to confirm reachability to the portal URL/hostname/IP (do not run intrusive scans against production control planes).

If you confirm external reachability on a vulnerable version, treat as an urgent incident response priority.

Immediate Actions Security Teams Should Take

You don’t have to wait for patches to reduce risk. Prioritize these steps in order.

1) Restrict or Disable the Authentication Portal Now

  • Best near-term mitigation: Disable the User-ID Authentication Portal entirely if your workflow doesn’t depend on it.
  • If you must keep it: Restrict access to trusted internal management networks only. Ensure no security policy, NAT, or proxy publishes it to the internet.
  • Consider placing access behind VPN with device posture and MFA, accessible only from a hardened admin network.

Validate: – No source zones marked “Untrust/Internet” can reach the portal. – No public IP or NAT translates to the portal. – No external-facing load balancer forwards to the portal.

2) Patch as Soon as Palo Alto Releases Updates

Palo Alto Networks announced patches begin rolling out May 13, 2026. As updates become available for your PAN-OS 10.2 train:

  • Target the fixed hotfix minimums listed above (or newer).
  • Follow your change control, but recognize this is a security emergency; schedule expedited maintenance windows.
  • Patch internet-adjacent firewalls first, then internal firewalls that host the Authentication Portal.

Bookmark and monitor: – Advisory hub: https://security.paloaltonetworks.com

3) Hunt for Signs of Exploitation

Even if you restrict or disable the portal now, review historical activity:

  • Traffic/URL logs: Unusual connections to the Authentication Portal endpoint, especially from unfamiliar external IPs or scanning infrastructure.
  • System logs: Unexpected admin logins, configuration changes, or commits outside normal change windows.
  • Configuration integrity: Unknown superuser accounts, API keys, scheduled jobs, profiles, or rules you didn’t create.
  • Data plane indicators: Spikes in CPU/memory, unexplained restarts, or anomalies around the time the portal was publicly reachable.
  • External telemetry: IDS/IPS, EDR, or SIEM alerts coinciding with firewall management or portal access events.

If you suspect compromise, escalate to your incident response playbook: – Isolate affected devices from untrusted networks. – Preserve system and traffic logs. – Engage your IR team and Palo Alto support. – Plan for rebuild or reimage if integrity cannot be guaranteed.

4) Communicate and Coordinate

  • Notify your SOC, network, and infrastructure teams about the vulnerability and interim mitigations.
  • Brief leadership on risk and timelines for remediation (see “How to brief executives” below).
  • If you provide managed services, notify affected customers and provide mitigation instructions.

Understanding the User-ID Authentication Portal

Not every PAN-OS deployment uses the Authentication Portal. It is typically tied to User-ID, Palo Alto’s feature for mapping IP addresses to user identities. The portal can challenge users to authenticate before granting access to certain resources, improving visibility and policy enforcement.

Key points for this vulnerability: – The flaw exists in the Authentication Portal component, not the general web management UI per se. – If the portal is not enabled, you are not directly vulnerable to this specific issue. – If your security policy or NAT rules inadvertently expose the portal externally, risk is high and immediate.

For official product guidance on the Authentication Portal, refer to: – PAN-OS 10.2 Admin Guide: Authentication Portal

How To Verify If the Authentication Portal Is Enabled

Your exact UI layout and labels can vary by PAN-OS version, but use this general checklist:

  • Review Authentication Portal settings in your User-ID configuration.
  • Review Authentication policy rules that reference the portal.
  • Confirm SSL/TLS certificate profiles associated with the portal.
  • Verify which interfaces/zones and address objects can reach it.
  • Check NAT and security policies that could publish the portal beyond internal networks.

If documentation is unclear or you’re unsure, coordinate with your network/security engineering team and Palo Alto support for a quick audit. The fastest test is a controlled connection attempt from a known external IP while monitoring logs and connection attempts on the firewall.

Attack Surface and Risk Scenarios

  • Direct exposure: An external NAT or VIP makes the portal reachable from the internet. This is the most critical scenario under active exploitation.
  • Indirect exposure: A partner/extranet or semi-trusted network can reach the portal due to broad allow rules. Still high risk.
  • Internal-only exposure: The portal is limited to known internal management subnets. Lower risk, but an internal foothold could still enable exploitation. Treat this as urgent to patch.

Even internal-only services can be abused if adversaries already have a toehold through phishing, unmanaged devices, or compromised credentials elsewhere. Don’t defer patching based solely on “internal-only” status.

Hardening Checklist for Palo Alto Firewalls

Use this event as a catalyst to tighten your overall firewall hygiene:

  • Minimize exposed surfaces:
  • Do not expose authentication portals, captive portals, or management UIs to the internet.
  • Use a jump host or VPN with MFA for administrative access.
  • Restrict by source:
  • Limit portal access to a small set of trusted admin subnets.
  • Enforce allowlists and explicit deny rules for untrusted zones.
  • Segment aggressively:
  • Place control plane services in dedicated management zones.
  • Separate admin traffic from user and data traffic.
  • Log and monitor:
  • Forward system, config, and traffic logs to your SIEM.
  • Alert on new admin accounts, unusual commits, and off-hours changes.
  • Keep current:
  • Track security advisories and subscribe to vendor notifications.
  • Standardize on supported, actively maintained PAN-OS trains.
  • Practice least privilege:
  • Review admin roles; remove unused accounts and stale API keys.
  • Apply role-based access control and just-in-time access where possible.
  • Validate configuration drift:
  • Periodically audit NAT and security policies for unintended exposure.
  • Use configuration baselines and automated compliance checks.

Patch Planning and Change Control

When the fixed builds become available for your PAN-OS 10.2 train:

  • Prioritize: Internet-facing and DMZ firewalls first, then internal zones that host the portal.
  • Stage and test: Validate in a lab or standby cluster if available. Verify commit success and dataplane health.
  • Schedule: Use emergency change windows given active exploitation status. Coordinate with business owners for minimal disruption.
  • Rollback plan: Keep a backup of running-config and a tested fallback image. Document criteria for rollback vs. proceed.
  • Post-patch validation: Confirm the portal behavior, traffic flow, and log integrity. Re-run exposure tests from untrusted networks.

How To Brief Executives and Non-Technical Stakeholders

Here’s a concise message you can use with leadership:

  • What happened: A critical vulnerability (CVE-2026-0300) in Palo Alto firewalls is being exploited. It affects a specific portal component that, if exposed, can let attackers take over the device without credentials.
  • Impact: Highest risk if the portal is internet-facing; still serious if internal-only. This could enable attackers to control traffic and pivot into other systems.
  • What we’re doing: We have restricted/disabled external access immediately, are monitoring for suspicious activity, and will apply vendor patches as they become available starting May 13.
  • Business impact: Short maintenance windows may be required. We’re scheduling these for minimal disruption and will communicate changes in advance.
  • Ask: Approve emergency change windows as needed and support communications for potential brief service interruptions.

Incident Response Considerations If You Suspect Compromise

If indicators suggest the firewall may have been exploited:

  • Isolate to contain:
  • Remove external reachability to the portal immediately.
  • If necessary, temporarily remove the device from high-risk paths.
  • Preserve evidence:
  • Export and secure logs, tech support files, and configuration snapshots.
  • Assess integrity:
  • Review admin accounts, API keys, scheduled tasks, and recent commits.
  • Compare running config to a known-good baseline.
  • Remediate:
  • Patch to fixed version.
  • Change admin credentials and rotate keys/certificates tied to the device.
  • Consider reimaging if you cannot establish trust in the current state.
  • Report:
  • Engage Palo Alto support and your IR provider.
  • Consider regulatory or customer notifications depending on your industry and findings.

Common Questions From Security and Network Teams

  • Is this the same as GlobalProtect or the web management interface?
  • No. This flaw is in the User-ID Authentication Portal component. It is distinct from GlobalProtect and from the general web management UI. However, in some environments multiple services may be accessible on the same device; validate each service’s exposure separately.
  • If my portal is internal-only, do I still need to patch?
  • Yes. Internal-only exposure reduces risk but does not eliminate it. A compromised internal host could exploit the flaw. Patch as soon as your fixed build is available.
  • Can I rely on security profiles or IPS to block exploitation?
  • Do not rely on signatures alone. Attackers can vary payloads, and vendor signatures may lag behind new exploit variants. The recommended mitigations are to restrict/disable the portal and apply patches.
  • How do I know if I’m actually using the Authentication Portal?
  • Check your User-ID configuration and Authentication policy rules. If you don’t have a use case for user-based captive authentication, you may not be using it and can likely disable it safely after internal validation.
  • What if I’m on a different PAN-OS major version?
  • The advisory and details here focus on PAN-OS 10.2 per currently available information. Check Palo Alto’s official advisory page for your specific version trains and follow vendor guidance as it is updated.
  • Are there public proof-of-concept exploits?
  • Given active exploitation reports, assume exploit code exists in some form. Do not rely on the absence of public PoC to delay mitigation.
  • Will restricting the portal break user access?
  • If your workflows depend on the Authentication Portal for user identification or access challenges, restricting it to trusted admin networks may impact certain flows. Coordinate with application owners to validate impact before changes, or implement alternative identity methods temporarily.
  • Could this have compromised traffic or data?
  • A successful RCE on a firewall can permit deep manipulation of traffic and configuration. If you find signs of compromise, treat potentially transiting data as at risk and conduct a thorough investigation.

Practical Next Steps You Can Execute Today

  • Inventory: Identify all PA-Series and VM-Series devices and confirm PAN-OS 10.2 versions and hotfix levels.
  • Exposure check: Determine if the User-ID Authentication Portal is enabled and reachable from untrusted networks. If yes, block or disable immediately.
  • Monitoring: Increase alerting for admin changes and portal access attempts. Review the last 30–90 days for anomalies.
  • Patch prep: Schedule emergency windows starting May 13 for applicable devices, and subscribe to vendor advisory updates.
  • Documentation: Record all changes and findings for audit/IR purposes.

External References and Further Reading

FAQs

  • What is CVE-2026-0300 in simple terms?
  • A critical buffer overflow bug in the PAN-OS User-ID Authentication Portal that can let attackers run code on the firewall without logging in, especially if the portal is internet-exposed.
  • Which devices are impacted?
  • PA-Series and VM-Series firewalls running vulnerable PAN-OS 10.2 releases with the Authentication Portal enabled. Not all deployments use this feature.
  • How critical is it if my portal is internet-facing?
  • Extremely critical (CVSS 9.3). Treat as an active incident risk; disable or restrict access immediately and prepare to patch.
  • When will patches be available?
  • Palo Alto Networks stated patches begin rolling out May 13, 2026. Monitor the official advisory for your specific 10.2 train.
  • What minimum fixed versions should I target?
  • At least these hotfix levels for PAN-OS 10.2: 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, or 10.2.18-h6—whichever matches your train. Later maintenance releases that include the fix are also acceptable.
  • I don’t think I use the Authentication Portal—can I ignore this?
  • Validate first. If it’s disabled and not published anywhere, you’re not directly affected by this flaw. Still, verify you’re not inadvertently exposing any control-plane services.
  • What logs should I review for potential exploitation?
  • Traffic logs for unusual portal access, system/config logs for unexpected admin changes or commits, and any SIEM/IDS alerts correlating with management events.
  • Is there a safe workaround until I can patch?
  • Yes: restrict the portal to trusted internal IPs only or disable it entirely if not needed. Keep monitoring and prepare to patch promptly.

The Bottom Line

CVE-2026-0300 is a critical, actively exploited PAN-OS vulnerability with the potential for full device compromise when the User-ID Authentication Portal is exposed to untrusted networks. Your best defense right now is to remove external reachability to the portal or disable it, then patch to the fixed versions as they become available. Use this moment to audit your exposure, verify configurations, and strengthen your firewall hardening baseline.

Clear takeaway: If the Authentication Portal on your Palo Alto firewalls can be reached from the internet, block or disable it immediately, hunt for signs of abuse, and patch to the recommended hotfix levels without delay.

Discover more at InnoVirtuoso.com

I would love some feedback on my writing so if you have any, please don’t hesitate to leave a comment around here or in any platforms that is convenient for you.

For more on tech and other topics, explore InnoVirtuoso.com anytime. Subscribe to my newsletter and join our growing community—we’ll create something magical together. I promise, it’ll never be boring! 

Stay updated with the latest news—subscribe to our newsletter today!

Thank you all—wishing you an amazing day ahead!

Read more related Articles at InnoVirtuoso

InnoVirtuoso

Hello there! I'm passionate content writer navigating the digital landscape. With a deep love for words and an insatiable curiosity about technology.

With 10 years of experience in IT field, I write mostly about emerging tech, sharing news, informational articles and covering other topics I find interesting.

Let's craft the future of content together – one word at a time!

Browse InnoVirtuoso for more!