Critical Palo Alto Firewalls Vulnerability Exploited in the Wild to Gain Root Access

Palo Alto Networks has disclosed a critical buffer overflow vulnerability in PAN-OS software, tracked as CVE-2026-0300, that is already being actively exploited in the wild.

The flaw carries a CVSS 4.0 score of 9.3 (CRITICAL) and allows unauthenticated attackers to execute arbitrary code with full root privileges on affected PA-Series and VM-Series firewalls, with no credentials, no user interaction, and no special conditions required.

The vulnerability resides in the User-ID Authentication Portal (also known as Captive Portal) service of PAN-OS. An unauthenticated remote attacker can send specially crafted packets to trigger an out-of-bounds write (CWE-787), causing a buffer overflow that ultimately yields root-level code execution on the targeted firewall.

With a NETWORK attack vector, zero attack complexity, and no privileges required, this flaw is fully automatable, making it an ideal candidate for mass-exploitation campaigns.

The exploit maturity is classified as ATTACKED, with Palo Alto Networks confirming limited exploitation has already been observed targeting Authentication Portals exposed to untrusted IP addresses and the public internet.

Affected Products

The vulnerability impacts multiple PAN-OS versions across PA-Series and VM-Series firewalls. Affected branches include:

• PAN-OS 10.2 — versions below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6
• PAN-OS 11.1 — versions below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15
• PAN-OS 11.2 — versions below 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12
• PAN-OS 12.1 — versions below 12.1.4-h5 and 12.1.7

Notably, Prisma Access, Cloud NGFW, and Panorama appliances are not affected. The vulnerability only applies to firewalls with the User-ID Authentication Portal explicitly enabled and accessible from untrusted networks.

When the Authentication Portal is internet-exposed, the CVSS score reaches its maximum threat tier at 9.3. Even in adjacent-network scenarios, the score remains a severe 8.7.

Successful exploitation results in high confidentiality, integrity, and availability impacts at the product level, effectively giving threat actors complete control over the targeted firewall.

The risk profile is particularly alarming given the concentrated value density of enterprise firewalls, which serve as critical network chokepoints.

Compromising a perimeter firewall can facilitate lateral movement, traffic interception, credential harvesting, and a full network takeover.

Palo Alto Networks has confirmed that patches are rolling out between May 13 and May 28, 2026, depending on the PAN-OS branch. Until patches are applied, administrators should immediately take one of the following actions:

• Restrict Authentication Portal access to trusted internal IP addresses only, following Palo Alto’s best practice guidelines
• Disable the User-ID Authentication Portal entirely if it is not operationally required

A Threat Prevention Signature for PAN-OS 11.1 and above was made available on May 5, 2026, providing an additional detection and blocking layer for organizations that have Threat Prevention licensed.

Security teams should audit their PAN-OS configurations immediately by navigating to Device > User Identification > Authentication Portal Settings to determine exposure.

Any portal accessible from the internet or untrusted zones should be treated as an emergency remediation priority, given confirmed in-the-wild exploitation of CVE-2026-0300.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post Critical Palo Alto Firewalls Vulnerability Exploited in the Wild to Gain Root Access appeared first on Cyber Security News.