Critical Palo Alto Networks Zero-Day (CVE-2026-0300) Actively Exploited for RCE

Executive Summary

On May 6, 2026, Palo Alto Networks disclosed a critical zero-day vulnerability, CVE-2026-0300, in its PAN-OS software. The vulnerability is an unauthenticated buffer overflow in the User-ID™ Authentication Portal, also known as the Captive Portal. It has been assigned a CVSS score of 9.3 and allows for remote code execution (RCE) with root privileges. The company has confirmed active, albeit limited, exploitation of this flaw in the wild, primarily targeting internet-facing portals. Patches are currently unavailable, with fixes scheduled for release in waves starting mid-May 2026. Immediate mitigation by restricting network access to the User-ID Authentication Portal is strongly recommended for all affected customers.

Vulnerability Details

The vulnerability, CVE-2026-0300, is a buffer overflow weakness within the User-ID Authentication Portal component of PAN-OS. This portal is used to authenticate users whose identity cannot be determined automatically by the firewall. An unauthenticated attacker on the network can exploit this flaw by sending a specially crafted packet to a vulnerable device. Successful exploitation results in the ability to execute arbitrary code with the highest possible privileges (root) on the firewall appliance.

The exploitability of this vulnerability is considered high, as it requires no authentication and can be triggered by a remote attacker. Palo Alto Networks notes that the exploit is automatable, increasing the risk of widespread attacks.

The attack vector is the User-ID Authentication Portal service. The risk is highest when this portal is exposed to the internet or other untrusted networks. The CVSS 9.3 rating reflects this worst-case scenario.

Affected Systems

The vulnerability impacts multiple versions of PAN-OS software running on PA-Series (hardware) and VM-Series (virtual) firewalls. According to the advisory, the following versions are affected:

PAN-OS versions before 12.1.4-h5
PAN-OS versions before 11.2.7-h13, 11.2.10-h6
PAN-OS versions before 11.1.4-h33, 11.1.6-h32, 11.1.10-h25, 11.1.13-h5
PAN-OS versions before 10.2.10-h36, 10.2.18-h6

Products that are NOT affected include:

Prisma Access
Cloud NGFW
Panorama appliances

Exploitation Status

Palo Alto Networks has confirmed that CVE-2026-0300 is being actively exploited in the wild. The exploitation is described as "limited," suggesting targeted attacks rather than a widespread, indiscriminate campaign at this time. The primary targets observed are firewalls with the User-ID Authentication Portal exposed to the public internet. The Cybersecurity and Infrastructure Security Agency of Singapore (CSA) has also issued an alert, corroborating the active exploitation and urging organizations to take immediate action.

Impact Assessment

A successful exploit of CVE-2026-0300 grants an attacker full control over a compromised firewall. This has severe security implications:

Complete System Compromise: Attackers gain root access, allowing them to disable security functions, install persistent backdoors, and modify system configurations.
Network Pivot Point: A compromised firewall, which sits at the perimeter of a network, becomes an ideal pivot point for attackers to launch further attacks against the internal network.
Data Interception and Exfiltration: Attackers can monitor, modify, or redirect all traffic passing through the firewall, enabling them to steal sensitive data.
Denial of Service: An attacker could disable the firewall, causing a complete network outage for the organization.

Given that firewalls are critical security infrastructure, the business impact of a compromise is extremely high, potentially leading to major data breaches, operational downtime, and significant financial and reputational damage.

Cyber Observables — Hunting Hints

The following patterns may help identify vulnerable or compromised systems:

Type

url_pattern

Value

/auth/portal/

Description

The default path for the User-ID Authentication Portal. Check web server logs for unusual or repeated requests to this path from untrusted IPs.

Type

process_name

Value

authd

Description

The authentication daemon process on PAN-OS. Monitor for unexpected crashes or restarts of this process, which could indicate a failed exploit attempt.

Type

log_source

Value

system logs

Description

On the PAN-OS device, check system logs for entries related to the authd process crashing or any unexpected behavior related to the User-ID service.

Type

network_traffic_pattern

Value

Inbound traffic to User-ID port

Description

Monitor for anomalous inbound connections to the configured User-ID Authentication Portal port from external, untrusted IP addresses.

Detection Methods

Security teams should focus on identifying both vulnerable configurations and signs of active exploitation.

Identify Vulnerable Systems:
- Use your asset inventory to identify all Palo Alto Networks firewalls running affected PAN-OS versions.
- On each firewall, navigate to Device > User Identification > Authentication Portal Settings to determine if the portal is enabled and how it is configured. Check the access lists to see if it is exposed to untrusted networks.
Detect Exploitation Attempts:
- Network Traffic Analysis (D3-NTA): Monitor web access logs, firewall logs, and NetFlow data for connections to the User-ID Authentication Portal from unexpected or untrusted IP addresses. A sudden spike in traffic or connections from multiple geographically diverse IPs could indicate scanning or exploitation activity.
- Log Analysis: Scrutinize PAN-OS system logs for any crashes or restarts of the authd process. These events might be logged with details that point to a buffer overflow or memory corruption error.
- Endpoint Detection and Response (EDR): While the exploit targets the firewall itself, a successful compromise will likely be followed by lateral movement. Monitor for unusual activity originating from the firewall's own IP address within the internal network.

Remediation Steps

As patches are not yet available, mitigation is the only course of action.

Primary Mitigation (Recommended):
- Restrict Access: The most effective mitigation is to ensure the User-ID Authentication Portal is not exposed to untrusted networks. Modify security policies to restrict access to the portal to only trusted internal zones and specific, known IP addresses. This is a fundamental security best practice for any management interface.
- Verification: After applying access restrictions, test from an external network to confirm that the portal is no longer accessible.
Secondary Mitigation:
- Disable the Portal: If the User-ID Authentication Portal is not being used, disable it entirely. This can be done under Device > User Identification > Authentication Portal Settings.
Patching (When Available):
- Palo Alto Networks plans to release patches in two waves:
  - Wave 1: Around May 13, 2026
  - Wave 2: Around May 28, 2026
- Organizations should create a plan to apply these patches as soon as they are released, prioritizing internet-facing and critical firewalls.

Implement strict inbound traffic filtering rules as the primary mitigation for CVE-2026-0300. This is not a generic recommendation; it is a critical, immediate action. Configure security policies on the Palo Alto Networks firewall itself, or on an upstream network device, to explicitly deny all traffic from the internet and other untrusted zones to the TCP port used by the User-ID Authentication Portal. The policy should be an 'allowlist' model, where only specific, pre-approved IP addresses or ranges from trusted internal management networks are permitted to connect. This directly addresses the attack vector by making the vulnerable service unreachable to external attackers. Regularly audit these rules to ensure they have not been inadvertently relaxed. This single action effectively neutralizes the threat of remote exploitation until a patch can be applied.

Palo Alto Networks Warns of Unpatched PAN-OS Zero-Day Vulnerability Under Active Attack