Secure ISS
NewsThreats
T

Threats

Palo Alto Networks PAN-OS Critical Authentication Portal Vulnerability

Instructure - Advisory & Report - Secure ISS

Overview

  • CVE: CVE-2026-0300

  • Severity: Critical

  • CVSS: 9.3

  • Advisory Date: 7 May 2026

A critical vulnerability in Palo Alto Networks PAN-OS User-ID Authentication Portal has been confirmed as actively exploited in limited real-world scenarios. The flaw enables unauthenticated remote code execution under certain configurations, particularly where the captive portal is exposed to untrusted networks. Organisations using affected firewall versions should assess exposure and ensure appropriate containment.


Affected Versions

  • PAN-OS 12.1: Versions below 12.1.4-h5 and 12.1.7

  • PAN-OS 11.2: Versions below 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12

  • PAN-OS 11.1: Versions below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15

  • PAN-OS 10.2: Versions below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6


Vulnerability Breakdown

CVE-2026-0300 - Unauthenticated buffer overflow in User-ID Authentication Portal

  • Severity: Critical

  • CVSS: 9.3

  • Description: A buffer overflow vulnerability in the User-ID Authentication Portal service of PAN-OS allows an unauthenticated attacker to send specially crafted packets and execute arbitrary code.

  • Impact: Successful exploitation can result in arbitrary code execution with root privileges on affected PA-Series and VM-Series firewalls.

  • Conditions: The issue applies where User-ID Authentication Portal is enabled. Risk is highest when the portal is accessible from untrusted IP addresses or the public internet.

  • Notes: Palo Alto Networks has observed limited exploitation in the wild. A Threat Prevention Signature is available for customers running PAN-OS 11.1 and above.


Mitigation

  • Restrict User-ID Authentication Portal access to trusted internal IP addresses only.

  • Disable User-ID Authentication Portal if it is not required.

  • Apply the relevant fixed PAN-OS release for your branch as soon as possible.

  • Confirm Threat Prevention Signature coverage where PAN-OS 11.1 or above is in use.

  • Audit exposure under Device > User Identification > Authentication Portal Settings.


Summary for IT Teams

  • Products: Palo Alto Networks PAN-OS on PA-Series and VM-Series firewalls

  • Threat Level: Critical, CVSS 9.3

  • Action Required: Immediately identify any exposed Authentication Portals, restrict or disable access, and patch to the appropriate fixed PAN-OS release for your branch.


Reference


Need Help?

If you need assistance assessing exposure, restricting access, or validating PAN-OS mitigations, contact Secure ISS on 1300 769 460.

Cta Image

Australia is secure when
Australian talent defends it.

Reach out today to discuss how with Lumara, we can work together to protect your business from the always changing Australian threat landscape.

Contact US

Cta Image

Australia is secure when
Australian talent defends it.

Reach out today to discuss how with Lumara, we can work together to protect your business from the always changing Australian threat landscape.

Contact US

Cta Image

Australia is secure when
Australian talent defends it.

Reach out today to discuss how with Lumara, we can work together to protect your business from the always changing Australian threat landscape.

Contact US