Active Exploitation of PAN-OS Captive Portal Flaw Gives Attackers Root on Firewalls
Palo Alto Networks disclosed CVE-2026-0300, a critical buffer overflow in the PAN-OS User-ID Authentication Portal (also called the Captive Portal) that is being exploited in the wild to achieve unauthenticated remote code execution with root privileges. The flaw is an out-of-bounds write triggered by specially crafted packets and affects exposed PA-Series and VM-Series firewalls running multiple PAN-OS 10.2, 11.1, 11.2, and 12.1 versions. Palo Alto assigned the issue a CVSS 9.3 when the portal is reachable from the public internet or other untrusted networks, and 8.7 when access is limited to trusted internal IP addresses.
The company said observed attacks have focused on Authentication Portal instances exposed to untrusted IP addresses, while Prisma Access, Cloud NGFW, and Panorama are not affected. At disclosure, fixes were not yet broadly available, with patch releases scheduled to begin in mid-May and continue through late May 2026. Palo Alto urged customers to immediately restrict portal access to trusted zones or internal IPs, or disable the Authentication Portal if it is not required, and said a Threat Prevention Signature for PAN-OS 11.1 and later was released as an added mitigation layer.
Timeline
May 6, 2026
Palo Alto announces patch rollout schedule for affected PAN-OS versions
Alongside the disclosure, Palo Alto said fixes for affected PAN-OS 10.2, 11.1, 11.2, and 12.1 versions would begin rolling out between May 13 and May 28, 2026. Until patches are available, customers were advised to restrict portal access to trusted internal IPs or disable the Authentication Portal if unused.
May 6, 2026
Palo Alto discloses CVE-2026-0300 under active exploitation
Palo Alto Networks disclosed CVE-2026-0300, a critical unauthenticated buffer overflow in the PAN-OS User-ID Authentication Portal that can lead to remote code execution with root privileges. The company said the flaw is being exploited in the wild, particularly against internet-exposed or otherwise untrusted portal deployments.
May 5, 2026
Palo Alto releases Threat Prevention Signature for CVE-2026-0300
Palo Alto Networks released a Threat Prevention Signature for PAN-OS 11.1 and later as a mitigation for CVE-2026-0300. The signature was made available ahead of full software patches to help reduce exploitation risk.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
4 more from sources like cyber security news, help net security, cert eu security advisories and rapid7 blog
Related Stories
Critical Cisco Secure Email Gateway and PAN-OS Flaws Expose Perimeter Devices
Cisco disclosed a **critical vulnerability** in Secure Email Gateway appliances running affected `AsyncOS` versions when inbound mail rules use **File Analysis** (`Cisco AMP`) or **Content Filter** features and the bundled **Content Scanner Tools** are older than `23.3.0.4823`. Successful exploitation can let an attacker overwrite files at the operating-system level, enabling **root-level account creation**, configuration changes, arbitrary code execution, and denial of service. Cisco released software updates and said no alternative mitigations are available. Palo Alto Networks also issued fixes for a **serious PAN-OS management interface flaw** that allows an unauthenticated attacker to execute certain PHP scripts and affect the **integrity and confidentiality** of the firewall, though the vendor said it does not permit arbitrary remote code execution. Exploitation attempts have already been observed and proof-of-concept code is public, increasing urgency for exposed management interfaces. Palo Alto said **Cloud NGFW** and **Prisma Access** are not affected, while `PAN-OS 11.0` is out of support and will not receive a patch.
1 weeks ago
Critical Palo Alto GlobalProtect Command Injection Led to Active Exploitation
A critical command injection flaw in **Palo Alto Networks GlobalProtect** exposed internet-facing devices running affected `PAN-OS` versions to unauthenticated remote code execution with **root-level access**. Palo Alto confirmed the vulnerability was being exploited in the wild, and **CISA** added it to the **Known Exploited Vulnerabilities (KEV)** catalog. The issue affected systems with GlobalProtect enabled on `PAN-OS 10.2`, `11.0`, and `11.1`, and public proof-of-concept exploit code increased the urgency for defenders to patch. Finland’s National Cyber Security Centre said it issued a serious warning after receiving the first breach notifications tied to the flaw and identified several hundred potentially vulnerable Palo Alto devices in domestic networks. About 15 incident reports related to Palo Alto devices were received, though no more serious breach cases were identified. Early vendor guidance that disabling telemetry could mitigate risk was later deemed insufficient, prompting a shift to immediate patching; fixes were released for supported branches including `10.2.9-h1`, `11.0.4-h1`, and `11.1.2-h3`, after which the Finnish warning was withdrawn as the threat subsided.
1 weeks ago
Palo Alto Networks PAN-OS GlobalProtect DoS Vulnerability (CVE-2026-0227)
Palo Alto Networks released fixes for **CVE-2026-0227**, a high-severity denial-of-service vulnerability in **PAN-OS** that can be triggered by an **unauthenticated** attacker when the **GlobalProtect gateway or portal** is enabled on affected next-generation firewall and *Prisma Access* configurations. Repeated exploitation attempts can force impacted firewalls into **maintenance mode**, effectively disabling protections and causing service disruption; Palo Alto Networks stated there are **no workarounds** and advised upgrading to patched releases. Reporting indicates a **proof-of-concept (PoC)** exploit exists, although Palo Alto Networks said it had **no evidence of in-the-wild exploitation** at the time of advisory publication. Exposure risk remains material given the large number of internet-facing Palo Alto Networks firewalls observed online (with Shadowserver tracking roughly **6,000** exposed devices) and ongoing scanning activity historically targeting exposed GlobalProtect endpoints; administrators should prioritize patching across affected PAN-OS and Prisma Access versions and validate whether GlobalProtect is enabled on externally reachable interfaces.
1 months ago