Critical Palo Alto Firewall Flaw: CVE-2026-0300 Exploited to Gain Root Access

Cartoonish illustration of firewall breach and root takeover

Palo Alto Networks has disclosed a critical buffer overflow vulnerability in PAN-OS that is already being exploited in the wild. The flaw, tracked as CVE-2026-0300, can allow unauthenticated attackers to run arbitrary code with full root privileges on affected PA-Series and VM-Series firewalls when the User-ID™ Authentication Portal (captive portal) is exposed to untrusted networks. Given the ease of exploitation and the strategic value of perimeter firewalls, organizations should treat exposure as an emergency and act immediately.

What happened

Palo Alto identified a remote out-of-bounds write (CWE-787) in the Authentication Portal service that can be triggered by specially crafted network packets. The vulnerability has a high exploitability profile: it requires no authentication, no user interaction, and no special prerequisites beyond an internet- or untrusted-zone-exposed portal. Palo Alto classifies the exploit maturity as “attacked,” confirming limited in-the-wild exploitation targeting publicly reachable authentication portals.

Who is affected

The issue impacts multiple PAN-OS branches across PA-Series and VM-Series appliances. Affected versions include many 10.2, 11.1, 11.2, and 12.1 releases below specific hotfix levels. Notably, Prisma Access, Cloud NGFW, and Panorama are not affected. Importantly, the vulnerability only applies when the User-ID Authentication Portal is explicitly enabled and reachable from untrusted networks; if the portal is not in use or is locked down to trusted internal ranges, the risk is substantially reduced.

Why this is dangerous

A successful exploit gives attackers root-level control of the firewall, which can have catastrophic consequences for a network:

Full traffic interception and manipulation at the edge
Lateral movement into internal segments
Credential harvesting and session hijacking
Persistent, stealthy footholds that are difficult to detect

Because enterprise firewalls are concentrated choke points, compromising one can enable broad access to sensitive systems and data.

Immediate mitigation steps

Palo Alto Networks has begun rolling out patches across affected branches between May 13 and May 28, 2026. While patching should be the top priority, administrators who cannot immediately update should take these emergency measures:

Restrict the Authentication Portal to trusted internal IP addresses only. Audit Device > User Identification > Authentication Portal Settings to identify any portals exposed to untrusted zones or the public internet.
Disable the User-ID Authentication Portal entirely if it is not operationally required.
If you have Threat Prevention licensed and are running PAN-OS 11.1 or newer, deploy the Threat Prevention signature released on May 5, 2026, to add detection and blocking for known exploit attempts.

Treat any internet-exposed portal as a critical remediation item until patches are applied.

Operational considerations for response

Security teams should prioritize identifying internet-facing authentication portals first, then apply configuration changes to limit exposure. Maintain detailed logs and consider increasing monitoring for indicators of compromise, including unusual administrative activity, unexpected configuration changes, and abnormal traffic flows. If a compromise is suspected, isolate the appliance from networks, preserve forensic evidence, and engage incident response procedures—compromised firewalls can require full rebuilds to ensure integrity.

Longer-term defenses and lessons learned

This incident underscores several enduring security principles:

Minimize the attack surface: disable or tightly restrict features that must be internet-accessible only when necessary.
Layer defenses: combine timely patch management with detection controls (IDS/IPS, threat prevention signatures) and network segmentation to limit post-compromise impact.
Harden privileged network elements: treat firewalls and other perimeter devices with elevated monitoring, strict change control, and periodic integrity checks.
Incident readiness: rehearsed playbooks for rapid configuration changes, patch deployment, and forensic response reduce fallout when critical vulnerabilities emerge.

Conclusion

CVE-2026-0300 is a high-impact vulnerability that has already been weaponized against exposed PAN-OS Authentication Portals. Organizations using Palo Alto PA- or VM-Series firewalls should immediately audit Authentication Portal exposure, apply configuration mitigations, and schedule fast patching according to Palo Alto’s release timeline. Given the potential for complete firewall takeover, acting now can prevent severe downstream compromise.