Critical Palo Alto PAN-OS Vulnerability CVE-2024-3400 Exploited for Root Access
Key Takeaways A critical buffer overflow vulnerability, CVE-2026-0300, has been identified in Palo Alto Networks’ PAN-OS software. The flaw carries a CVSS 4.0 score of 9.3 and allows...
Key Takeaways
- A critical buffer overflow vulnerability, CVE-2026-0300, has been identified in Palo Alto Networks’ PAN-OS software.
- The flaw carries a CVSS 4.0 score of 9.3 and allows unauthenticated attackers to achieve root-level code execution on affected firewalls.
- Active exploitation of this vulnerability has been confirmed in the wild.
- Patches are being deployed, and immediate mitigation steps are available for vulnerable systems.
Palo Alto Networks Discloses Critical PAN-OS Vulnerability Under Active Exploitation
Palo Alto Networks has issued an urgent alert regarding a severe buffer overflow vulnerability within its PAN-OS operating system. Designated as CVE-2026-0300, this critical flaw is already being actively exploited by malicious actors, posing an immediate threat to organizations utilizing affected firewalls.
Table Of Content
The vulnerability boasts a CVSS 4.0 score of 9.3 (Critical), enabling unauthenticated attackers to execute arbitrary code with full root privileges. This can be achieved on vulnerable PA-Series and VM-Series firewalls without requiring any credentials, user interaction, or specific preconditions, making it exceptionally dangerous.
Technical Details of CVE-2026-0300
The core of the vulnerability lies within the User-ID Authentication Portal (also known as Captive Portal) service of PAN-OS. Attackers can exploit this weakness by sending specially crafted network packets. This action triggers an out-of-bounds write (CWE-787), leading to a buffer overflow that ultimately grants root-level code execution capabilities on the targeted firewall.
With a network-based attack vector, zero attack complexity, and no prerequisite privileges, this flaw is highly amenable to automated exploitation. This characteristic significantly increases the potential for widespread, mass-exploitation campaigns against vulnerable systems.
Palo Alto Networks has confirmed that the exploit maturity for CVE-2026-0300 is classified as “Attacked,” indicating that limited real-world exploitation has already been observed. These attacks specifically target Authentication Portals that are exposed to untrusted IP addresses and the public internet.
Affected Products and Exposure
The vulnerability impacts various PAN-OS versions across both PA-Series and VM-Series firewalls. The specific affected branches and versions are:
- PAN-OS 10.2: versions below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6
- PAN-OS 11.1: versions below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15
- PAN-OS 11.2: versions below 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12
- PAN-OS 12.1: versions below 12.1.4-h5 and 12.1.7
It is important to note that Prisma Access, Cloud NGFW, and Panorama appliances are not susceptible to this vulnerability. The risk applies exclusively to firewalls where the User-ID Authentication Portal is explicitly enabled and accessible from untrusted networks.
When the Authentication Portal is directly exposed to the internet, the CVSS score reaches its maximum critical tier of 9.3. Even in scenarios where the portal is only accessible from adjacent networks, the vulnerability maintains a severe score of 8.7.
Successful exploitation of CVE-2026-0300 results in high impacts on confidentiality, integrity, and availability at the product level, effectively granting attackers complete control over the compromised firewall. This is particularly concerning given the strategic importance of enterprise firewalls as critical network chokepoints. A breach of a perimeter firewall can lead to extensive lateral movement, traffic interception, credential harvesting, and ultimately, a full network takeover.
What You Should Do
Palo Alto Networks has confirmed that patches for CVE-2026-0300 are being rolled out between May 13 and May 28, 2026, depending on the specific PAN-OS branch. Until these patches can be applied, administrators must take immediate action:
- Restrict Access: Limit access to the Authentication Portal exclusively to trusted internal IP addresses, adhering to Palo Alto’s recommended best practices.
- Disable Portal: If the User-ID Authentication Portal is not essential for operational requirements, disable it entirely.
- Apply Threat Prevention Signature: For organizations with Threat Prevention licenses, a new signature for PAN-OS 11.1 and above was made available on May 5, 2026. This provides an additional layer of detection and blocking.
- Audit Configurations: Security teams should immediately audit their PAN-OS configurations by navigating to Device > User Identification > Authentication Portal Settings to assess their current exposure.
Any Authentication Portal found to be accessible from the internet or untrusted zones should be treated as an emergency remediation priority, especially given the confirmed in-the-wild exploitation of CVE-2026-0300.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.