CVE-2026-0300: Critical PAN-OS Captive Portal RCE Under Active Exploitation

"A critical out-of-bounds write in Palo Alto Networks PAN-OS lets an unauthenticated attacker execute arbitrary code as root on PA-Series and VM-Series firewalls, and CISA has confirmed active exploitation in the wild."

A critical out-of-bounds write in Palo Alto Networks PAN-OS lets an unauthenticated attacker execute arbitrary code as root on PA-Series and VM-Series firewalls, and CISA has confirmed active exploitation in the wild.

What Is It

CVE-2026-0300 is a buffer overflow (CWE-787, out-of-bounds write) in the User-ID Authentication Portal (formerly Captive Portal) service of PAN-OS. By sending specially crafted packets to the portal, an unauthenticated remote attacker can achieve arbitrary code execution with root privileges on the firewall itself. NVD scores it CVSS 3.1 9.8 (Critical) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H; Palo Alto's CVSS 4.0 scoring lands at 9.3 with exploit maturity "Attacked" and provider urgency "Red."

Why It Matters

This is pre-auth root RCE on a perimeter security device. A compromised firewall gives an attacker a privileged foothold inside the network with the ability to inspect, redirect, or manipulate traffic. CISA added the CVE to the Known Exploited Vulnerabilities catalog on 2026-05-06, confirming exploitation in the wild, with a federal remediation due date of 2026-05-09. Known ransomware campaign use is currently listed as Unknown.

What's Vulnerable

PAN-OS running the User-ID Authentication Portal (Captive Portal) on PA-Series and VM-Series firewalls. NVD's CPE list confirms affected versions across the PAN-OS 10.2.x line (10.2.0 through 10.2.9 and numerous 10.2.7 hotfixes among them). Prisma Access, Cloud NGFW, and Panorama appliances are not impacted. Risk is significantly reduced if access to the Authentication Portal is restricted to trusted internal IP addresses per Palo Alto's best-practice guidance.

Patch Status

Per CISA's updated guidance dated 2026-05-13, Palo Alto Networks has released patches covering affected versions; apply the patch designated for your environment. Until patching is complete, CISA's required workarounds are:

Restrict User-ID Authentication Portal access to only trusted zones.
Disable the User-ID Authentication Portal if it is not required.

If neither patches nor mitigations can be applied, CISA's BOD 22-01 guidance is to discontinue use of the product.

Sources

Palo Alto Networks Security Advisory; https://security.paloaltonetworks.com/CVE-2026-0300
NVD CVE-2026-0300; https://nvd.nist.gov/vuln/detail/CVE-2026-0300
CISA Known Exploited Vulnerabilities Catalog; https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2026-0300