Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
WinRAR 7.23 Patches Critical Heap Overflow Vulnerability CVE-2024-XXXX
July 2, 2026
Medtronic Confirms Data Breach, Corporate IT Systems Compromised
July 2, 2026
Critical ClamAV Vulnerabilities Let Attackers Trigger DoS
July 2, 2026
Home/CyberSecurity News/Palo Alto Networks Patches Critical PAN-OS Zero-Day Allowing Root Code Execution
CyberSecurity News

Palo Alto Networks Patches Critical PAN-OS Zero-Day Allowing Root Code Execution

Key Takeaways A critical zero-day vulnerability (CVE-2026-0300) has been discovered in Palo Alto Networks PAN-OS. The flaw allows unauthenticated attackers to achieve root code execution on affected...

David kimber
David kimber
May 14, 2026 4 Min Read
38 0

Key Takeaways

  • A critical zero-day vulnerability (CVE-2026-0300) has been discovered in Palo Alto Networks PAN-OS.
  • The flaw allows unauthenticated attackers to achieve root code execution on affected PA-Series and VM-Series firewalls.
  • Exploitation is active in the wild, primarily targeting the User-ID Authentication Portal when exposed to the internet.
  • Palo Alto Networks has released patches, and immediate upgrades or mitigations are strongly recommended.

A severe security vulnerability in Palo Alto Networks’ PAN-OS software is placing enterprise firewalls at significant risk. The flaw, identified as CVE-2026-0300, enables unauthorized attackers to execute arbitrary code with root privileges on vulnerable devices. This critical weakness has already seen limited exploitation in real-world scenarios, particularly where the User-ID Authentication Portal (also known as Captive Portal) is directly accessible from the internet.

Table Of Content

  • Key Takeaways
  • Affected Systems and Exposure Conditions
  • Patches and Mitigation
  • What You Should Do

The vulnerability stems from a buffer overflow issue, categorized as CWE-787, within the authentication portal component. By crafting and sending specific network packets, threat actors can exploit this flaw without needing any prior authentication. This capability could grant them full control over affected PA-Series and VM-Series firewalls. Given that these firewalls are typically positioned at the edge of a network, a successful exploit could lead to a complete compromise of the entire network infrastructure.

Cybersecurity experts and Palo Alto Networks have issued warnings that the risk is highest for organizations with their User-ID Authentication Portal exposed to untrusted networks or the public internet. Conversely, the vendor’s advisory notes that organizations adhering to best practices, such as restricting portal access exclusively to trusted internal IP addresses, face a significantly reduced risk.

Affected Systems and Exposure Conditions

The vulnerability impacts several versions of PAN-OS, specifically releases 10.2, 11.1, 11.2, and 12.1 that predate the recently issued patches. It’s important to note that Palo Alto Networks’ Prisma Access, Cloud NGFW, and Panorama appliances are not affected by this particular flaw.

However, successful exploitation is contingent on specific configurations being active on the firewall:

  • The User-ID Authentication Portal must be enabled, operating in either transparent or redirect mode.
  • A management interface profile with “response pages” enabled must be linked to an interface that is exposed to untrusted zones or the public internet.

This specific combination creates an externally reachable attack surface, allowing malicious actors to remotely trigger the buffer overflow condition.

CVE-2026-0300 has been assigned a critical CVSS score of 9.3, underscoring its ease of exploitation and the severe potential impact. Palo Alto Networks has confirmed that they have observed limited attempts to exploit this vulnerability in the wild, primarily targeting authentication portals that are exposed to the internet. Even in environments without direct internet exposure, attackers on adjacent internal networks may still be able to exploit the flaw, potentially facilitating lateral movement within a compromised network.

Patches and Mitigation

Palo Alto Networks has released security patches for the affected PAN-OS versions, with additional fixes anticipated to be rolled out by May 28, 2026. Organizations are strongly advised to upgrade their systems immediately to the following patched versions or later:

  • PAN-OS 12.1.4-h5 or 12.1.7+
  • PAN-OS 11.2.4-h17, 11.2.7-h13, or 11.2.12+
  • PAN-OS 11.1.4-h33, 11.1.6-h32, or 11.1.15+
  • PAN-OS 10.2.7-h34 or 10.2.18-h6+

For organizations unable to apply patches immediately, Palo Alto Networks has provided several recommended mitigation strategies:

  • Restrict access to the User-ID Authentication Portal so it is only reachable from trusted internal networks.
  • Disable “response pages” on any interfaces that are exposed to untrusted network traffic.
  • If the authentication portal is not a required service, disable it completely.
  • Enable Threat ID 510019 (available in Applications and Threats version 9097-10022 or newer) to detect and block exploitation attempts.

This vulnerability underscores a persistent challenge in securing network perimeter appliances: management and authentication services, if misconfigured or exposed, become prime targets for attackers. With threat actors actively scanning for exposed portals, organizations must treat all externally accessible firewall services as critical attack surfaces. As exploitation activities continue to evolve, prompt patching and stringent access controls remain the most effective defenses against this high-impact flaw.

What You Should Do

  • Immediately assess your PAN-OS firewall configurations to determine if the User-ID Authentication Portal and “response pages” are exposed to untrusted networks or the internet.
  • Prioritize applying the recommended patches for your specific PAN-OS version as soon as possible.
  • If immediate patching is not feasible, implement the provided mitigation steps, focusing on restricting access to the User-ID Authentication Portal and disabling unnecessary response pages.
  • Ensure your Threat Prevention signatures are up to date and Threat ID 510019 is enabled.
  • Regularly review and audit firewall configurations to ensure that management and authentication interfaces are not unnecessarily exposed.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurityThreatVulnerability

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

Previous Post

OpenAI Sued Over ChatGPT Data Sharing with Google and Meta

Next Post

Critical Vulnerability in HWMonitor Allows DLL Hijacking Attacks

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
WhatsApp Username Reservations Raise Security Concerns for 2 Billion Users
July 2, 2026
Alleged Scattered Spider Member Extradited to US for 100+ Network Hacks
July 2, 2026
CISA Warns of Exploited SimpleHelp Authentication Bypass Vulnerability
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us