Palo Alto Networks Patches Critical PAN-OS Zero-Day Allowing Root Code Execution
Key Takeaways A critical zero-day vulnerability (CVE-2026-0300) has been discovered in Palo Alto Networks PAN-OS. The flaw allows unauthenticated attackers to achieve root code execution on affected...
Key Takeaways
- A critical zero-day vulnerability (CVE-2026-0300) has been discovered in Palo Alto Networks PAN-OS.
- The flaw allows unauthenticated attackers to achieve root code execution on affected PA-Series and VM-Series firewalls.
- Exploitation is active in the wild, primarily targeting the User-ID Authentication Portal when exposed to the internet.
- Palo Alto Networks has released patches, and immediate upgrades or mitigations are strongly recommended.
A severe security vulnerability in Palo Alto Networks’ PAN-OS software is placing enterprise firewalls at significant risk. The flaw, identified as CVE-2026-0300, enables unauthorized attackers to execute arbitrary code with root privileges on vulnerable devices. This critical weakness has already seen limited exploitation in real-world scenarios, particularly where the User-ID Authentication Portal (also known as Captive Portal) is directly accessible from the internet.
Table Of Content
The vulnerability stems from a buffer overflow issue, categorized as CWE-787, within the authentication portal component. By crafting and sending specific network packets, threat actors can exploit this flaw without needing any prior authentication. This capability could grant them full control over affected PA-Series and VM-Series firewalls. Given that these firewalls are typically positioned at the edge of a network, a successful exploit could lead to a complete compromise of the entire network infrastructure.
Cybersecurity experts and Palo Alto Networks have issued warnings that the risk is highest for organizations with their User-ID Authentication Portal exposed to untrusted networks or the public internet. Conversely, the vendor’s advisory notes that organizations adhering to best practices, such as restricting portal access exclusively to trusted internal IP addresses, face a significantly reduced risk.
Affected Systems and Exposure Conditions
The vulnerability impacts several versions of PAN-OS, specifically releases 10.2, 11.1, 11.2, and 12.1 that predate the recently issued patches. It’s important to note that Palo Alto Networks’ Prisma Access, Cloud NGFW, and Panorama appliances are not affected by this particular flaw.
However, successful exploitation is contingent on specific configurations being active on the firewall:
- The User-ID Authentication Portal must be enabled, operating in either transparent or redirect mode.
- A management interface profile with “response pages” enabled must be linked to an interface that is exposed to untrusted zones or the public internet.
This specific combination creates an externally reachable attack surface, allowing malicious actors to remotely trigger the buffer overflow condition.
CVE-2026-0300 has been assigned a critical CVSS score of 9.3, underscoring its ease of exploitation and the severe potential impact. Palo Alto Networks has confirmed that they have observed limited attempts to exploit this vulnerability in the wild, primarily targeting authentication portals that are exposed to the internet. Even in environments without direct internet exposure, attackers on adjacent internal networks may still be able to exploit the flaw, potentially facilitating lateral movement within a compromised network.
Patches and Mitigation
Palo Alto Networks has released security patches for the affected PAN-OS versions, with additional fixes anticipated to be rolled out by May 28, 2026. Organizations are strongly advised to upgrade their systems immediately to the following patched versions or later:
- PAN-OS 12.1.4-h5 or 12.1.7+
- PAN-OS 11.2.4-h17, 11.2.7-h13, or 11.2.12+
- PAN-OS 11.1.4-h33, 11.1.6-h32, or 11.1.15+
- PAN-OS 10.2.7-h34 or 10.2.18-h6+
For organizations unable to apply patches immediately, Palo Alto Networks has provided several recommended mitigation strategies:
- Restrict access to the User-ID Authentication Portal so it is only reachable from trusted internal networks.
- Disable “response pages” on any interfaces that are exposed to untrusted network traffic.
- If the authentication portal is not a required service, disable it completely.
- Enable Threat ID 510019 (available in Applications and Threats version 9097-10022 or newer) to detect and block exploitation attempts.
This vulnerability underscores a persistent challenge in securing network perimeter appliances: management and authentication services, if misconfigured or exposed, become prime targets for attackers. With threat actors actively scanning for exposed portals, organizations must treat all externally accessible firewall services as critical attack surfaces. As exploitation activities continue to evolve, prompt patching and stringent access controls remain the most effective defenses against this high-impact flaw.
What You Should Do
- Immediately assess your PAN-OS firewall configurations to determine if the User-ID Authentication Portal and “response pages” are exposed to untrusted networks or the internet.
- Prioritize applying the recommended patches for your specific PAN-OS version as soon as possible.
- If immediate patching is not feasible, implement the provided mitigation steps, focusing on restricting access to the User-ID Authentication Portal and disabling unnecessary response pages.
- Ensure your Threat Prevention signatures are up to date and Threat ID 510019 is enabled.
- Regularly review and audit firewall configurations to ensure that management and authentication interfaces are not unnecessarily exposed.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.