Palo Alto PAN-OS 0-Day Exploited to Execute Arbitrary Code With Root Privileges on Firewalls

A critical vulnerability in Palo Alto Networks PAN-OS is putting enterprise firewalls at risk, allowing unauthenticated attackers to execute arbitrary code with root privileges.

Tracked as CVE-2026-0300, the flaw affects the User-ID Authentication Portal (Captive Portal) and has already seen limited real-world exploitation, particularly in environments where the service is exposed to the internet.

The vulnerability stems from a buffer overflow issue (CWE-787) in the authentication portal component.

By sending specially crafted packets, attackers can exploit the flaw without authentication, potentially gaining full control over affected PA-Series and VM-Series firewalls. Given that these devices often sit at the network perimeter, successful exploitation could lead to complete network compromise.

Security researchers and Palo Alto Networks warn that the risk is highest when the User-ID Authentication Portal is accessible from untrusted networks or the public internet.

According to the advisory, organizations that follow best practices, such as restricting portal access to trusted internal IP addresses, face significantly lower risk.

Affected Versions

The vulnerability impacts multiple PAN-OS versions, including 10.2, 11.1, 11.2, and 12.1 releases prior to specific patched builds. Notably, Prisma Access, Cloud NGFW, and Panorama appliances remain unaffected.

However, exploitation is only possible when certain configurations are in place:

• The User-ID Authentication Portal is enabled (either transparent or redirect mode).
• A management interface profile with “response pages” enabled is attached to an interface exposed to untrusted or internet-facing zones.

This combination creates an externally reachable attack surface, allowing threat actors to trigger the buffer overflow remotely.

CVE-2026-0300 carries a CVSS score of 9.3 (Critical), reflecting its ease of exploitation and severe impact. Palo Alto confirms that limited exploitation attempts have already been observed in the wild, primarily targeting exposed authentication portals.

Even in cases where direct internet exposure is absent, attackers on adjacent networks may still exploit the flaw, lowering the attack complexity in lateral movement scenarios.

Patches and Mitigation

Palo Alto Networks has released patches across affected versions, with additional fixes scheduled for rollout by May 28, 2026. Organizations are strongly advised to upgrade immediately to fixed versions such as:

• PAN-OS 12.1.4-h5 or 12.1.7+
• PAN-OS 11.2.4-h17, 11.2.7-h13, or 11.2.12+
• PAN-OS 11.1.4-h33, 11.1.6-h32, or 11.1.15+
• PAN-OS 10.2.7-h34 or 10.2.18-h6+

For environments where patching is delayed, Palo Alto recommends the following mitigations:

• Restrict User-ID Authentication Portal access to trusted internal networks only.
• Disable response pages on interfaces exposed to untrusted traffic.
• Completely disable the authentication portal if not required.
• Enable Threat ID 510019 (Applications and Threats version 9097-10022) for detection and blocking.

This vulnerability highlights a recurring issue in perimeter security appliances—misconfigured or exposed management and authentication services becoming high-value targets.

With attackers actively scanning for exposed portals, organizations must treat externally accessible firewall services as critical attack surfaces.

As exploitation activity continues to evolve, timely patching and strict access controls remain the most effective defenses against this high-impact flaw.