Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Microsoft Teams macOS Bug Exposes Screen Sharing Content
July 12, 2026
Apple Sues OpenAI and Ex-Staff Over Alleged Trade Secret Theft
July 12, 2026
Ghostcommit Attack Hides Malicious Prompts in Images to Exploit AI Agents
July 11, 2026
Home/CyberSecurity News/Critical Palo Alto PAN-OS Vulnerability CVE-2024-3400 Exploited for Root Access
CyberSecurity News

Critical Palo Alto PAN-OS Vulnerability CVE-2024-3400 Exploited for Root Access

Key Takeaways A critical buffer overflow vulnerability, CVE-2026-0300, has been identified in Palo Alto Networks’ PAN-OS software. The flaw carries a CVSS 4.0 score of 9.3 and allows...

David kimber
David kimber
May 6, 2026 3 Min Read
38 0

Key Takeaways

  • A critical buffer overflow vulnerability, CVE-2026-0300, has been identified in Palo Alto Networks’ PAN-OS software.
  • The flaw carries a CVSS 4.0 score of 9.3 and allows unauthenticated attackers to achieve root-level code execution on affected firewalls.
  • Active exploitation of this vulnerability has been confirmed in the wild.
  • Patches are being deployed, and immediate mitigation steps are available for vulnerable systems.

Palo Alto Networks Discloses Critical PAN-OS Vulnerability Under Active Exploitation

Palo Alto Networks has issued an urgent alert regarding a severe buffer overflow vulnerability within its PAN-OS operating system. Designated as CVE-2026-0300, this critical flaw is already being actively exploited by malicious actors, posing an immediate threat to organizations utilizing affected firewalls.

Table Of Content

  • Key Takeaways
  • Palo Alto Networks Discloses Critical PAN-OS Vulnerability Under Active Exploitation
  • Technical Details of CVE-2026-0300
  • Affected Products and Exposure
  • What You Should Do

The vulnerability boasts a CVSS 4.0 score of 9.3 (Critical), enabling unauthenticated attackers to execute arbitrary code with full root privileges. This can be achieved on vulnerable PA-Series and VM-Series firewalls without requiring any credentials, user interaction, or specific preconditions, making it exceptionally dangerous.

Technical Details of CVE-2026-0300

The core of the vulnerability lies within the User-ID Authentication Portal (also known as Captive Portal) service of PAN-OS. Attackers can exploit this weakness by sending specially crafted network packets. This action triggers an out-of-bounds write (CWE-787), leading to a buffer overflow that ultimately grants root-level code execution capabilities on the targeted firewall.

With a network-based attack vector, zero attack complexity, and no prerequisite privileges, this flaw is highly amenable to automated exploitation. This characteristic significantly increases the potential for widespread, mass-exploitation campaigns against vulnerable systems.

Palo Alto Networks has confirmed that the exploit maturity for CVE-2026-0300 is classified as “Attacked,” indicating that limited real-world exploitation has already been observed. These attacks specifically target Authentication Portals that are exposed to untrusted IP addresses and the public internet.

Affected Products and Exposure

The vulnerability impacts various PAN-OS versions across both PA-Series and VM-Series firewalls. The specific affected branches and versions are:

  • PAN-OS 10.2: versions below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6
  • PAN-OS 11.1: versions below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15
  • PAN-OS 11.2: versions below 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12
  • PAN-OS 12.1: versions below 12.1.4-h5 and 12.1.7

It is important to note that Prisma Access, Cloud NGFW, and Panorama appliances are not susceptible to this vulnerability. The risk applies exclusively to firewalls where the User-ID Authentication Portal is explicitly enabled and accessible from untrusted networks.

When the Authentication Portal is directly exposed to the internet, the CVSS score reaches its maximum critical tier of 9.3. Even in scenarios where the portal is only accessible from adjacent networks, the vulnerability maintains a severe score of 8.7.

Successful exploitation of CVE-2026-0300 results in high impacts on confidentiality, integrity, and availability at the product level, effectively granting attackers complete control over the compromised firewall. This is particularly concerning given the strategic importance of enterprise firewalls as critical network chokepoints. A breach of a perimeter firewall can lead to extensive lateral movement, traffic interception, credential harvesting, and ultimately, a full network takeover.

What You Should Do

Palo Alto Networks has confirmed that patches for CVE-2026-0300 are being rolled out between May 13 and May 28, 2026, depending on the specific PAN-OS branch. Until these patches can be applied, administrators must take immediate action:

  • Restrict Access: Limit access to the Authentication Portal exclusively to trusted internal IP addresses, adhering to Palo Alto’s recommended best practices.
  • Disable Portal: If the User-ID Authentication Portal is not essential for operational requirements, disable it entirely.
  • Apply Threat Prevention Signature: For organizations with Threat Prevention licenses, a new signature for PAN-OS 11.1 and above was made available on May 5, 2026. This provides an additional layer of detection and blocking.
  • Audit Configurations: Security teams should immediately audit their PAN-OS configurations by navigating to Device > User Identification > Authentication Portal Settings to assess their current exposure.

Any Authentication Portal found to be accessible from the internet or untrusted zones should be treated as an emergency remediation priority, especially given the confirmed in-the-wild exploitation of CVE-2026-0300.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityThreatVulnerability

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

Optimize SOC Costs with Better Threat Intelligence

Next Post

Critical Azure AD Flaw Bypassed Conditional Access, Exposing Cloud Resources

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
CISA Report Details Lessons Learned From AWS GovCloud Credential Leak
July 11, 2026
281 Android VPN Apps Leak Sensitive Data, Transfer Data Unencrypted
July 11, 2026
Top 10 Unified Threat Management Solutions for 2026
July 11, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us