Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution
Source: The Hacker News
Overview
Palo Alto Networks has issued an advisory warning of a critical buffer overflow vulnerability in its PAN‑OS software that is being exploited in the wild. The vulnerability, tracked as CVE‑2026‑0300, allows unauthenticated remote code execution. It receives a CVSS score of 9.3 when the User‑ID Authentication Portal is exposed to the internet or any untrusted network, and 8.7 when access is limited to trusted internal IP addresses.
“A buffer overflow vulnerability in the User‑ID Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN‑OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA‑Series and VM‑Series firewalls by sending specially crafted packets,” the company stated in its advisory. (source)
The flaw is currently being exploited in a limited manner, targeting deployments where the User‑ID Authentication Portal has been left publicly accessible.
Impacted Versions
The following PAN‑OS versions are affected:
- PAN‑OS 12.1 – versions < 12.1.4‑h5, < 12.1.7
- PAN‑OS 11.2 – versions < 11.2.4‑h17, < 11.2.7‑h13, < 11.2.10‑h6, < 11.2.12
- PAN‑OS 11.1 – versions < 11.1.4‑h33, < 11.1.6‑h32, < 11.1.7‑h6, < 11.1.10‑h25, < 11.1.13‑h5, < 11.1.15
- PAN‑OS 10.2 – versions < 10.2.7‑h34, < 10.2.10‑h36, < 10.2.13‑h21, < 10.2.16‑h7, < 10.2.18‑h6
Palo Alto Networks plans to release patches starting May 13 2026. The vulnerability applies only to PA‑Series and VM‑Series firewalls that have the User‑ID Authentication Portal enabled.
Mitigation
Until a patch is available, users should:
- Restrict access to the User‑ID Authentication Portal to trusted internal zones only.
- Disable the portal entirely if it is not required.
For detailed guidance on securing management interfaces, see Palo Alto Networks’ recommendation: Why it’s essential to secure your management interface.
References
- Palo Alto Networks Security Advisory – CVE‑2026‑0300: https://security.paloaltonetworks.com/CVE-2026-0300
- Image source: https://thehackernews.uk/threatlabz-vpn-risk-2026-d