Palo Alto Networks has issued an advisory warning that a critical buffer overflow vulnerability in PAN-OS software is being exploited in the wild.
This vulnerability is tracked as CVE-2026-0300 and is described as a case of unauthenticated remote code execution. If the User Identity Authentication Portal is configured to allow access from the Internet or untrusted networks, the CVSS score will be 9.3. If access to the portal is restricted to trusted internal IP addresses only, the severity is 8.7.
“A buffer overflow vulnerability in the User-ID Authentication Portal (also known as Captive Portal) service in Palo Alto Networks’ PAN-OS software could allow an unauthenticated attacker to execute arbitrary code with root privileges on PA Series and VM Series firewalls by sending specially crafted packets,” the company said.
According to Palo Alto Networks, the vulnerability has been used in “limited exploitation,” specifically targeting instances where the User-ID authentication portal has been left exposed. The following versions are affected by this flaw:
PAN-OS 12.1 – < 12.1.4-h5, < 12.1.7 PAN-OS 11.2 - < 11.2.4-h17, < 11.2.7-h13, < 11.2.10-h6, < 11.2.12 PAN-OS 11.1 - < 11.1.4-h33, < 11.1.6-h32, < 11.1.7-h6, < 11.1.10-h25, < 11.1.13-h5, < 11.1.15 PAN-OS 10.2 - < 10.2.7-h34, < 10.2.10-h36, < 10.2.13-h21, < 10.2.16-h7, < 10.2.18-h6
This issue is currently unpatched and Palo Alto Networks plans to release a fix starting May 13, 2026. The company also said the vulnerability only applies to PA-series and VM-series firewalls that are configured to use the User-ID authentication portal.
“Customers who follow standard security best practices, such as restricting sensitive portals to trusted internal networks, have significantly reduced risk,” it added.
If unpatched, users are encouraged to limit access to the User-ID Authentication Portal to trusted zones only, or disable it completely if it is not needed.
Source link
