Palo Alto PAN-OS Zero-Day Lets Attackers Run Code With Root Privileges On Firewalls

Palo Alto Networks has disclosed a critical PAN-OS vulnerability that allows unauthenticated attackers to execute arbitrary code with root privileges on affected firewalls.

The flaw, tracked as CVE-2026-0300, affects the User-ID Authentication Portal, also known as Captive Portal, in PAN-OS. Palo Alto Networks says limited exploitation has already targeted portals exposed to untrusted IP addresses or the public internet.

The risk applies to PA-Series and VM-Series firewalls that run affected PAN-OS versions and meet the required exposure conditions. Prisma Access, Cloud NGFW, and Panorama appliances are not affected.

What is CVE-2026-0300?

CVE-2026-0300 is a buffer overflow vulnerability in the User-ID Authentication Portal service of PAN-OS. Palo Alto Networks rates the issue critical with a CVSS 4.0 score of 9.3.

An attacker can exploit the bug by sending specially crafted packets to a vulnerable portal. Successful exploitation can give the attacker arbitrary code execution with root privileges on the firewall.

This makes the flaw especially dangerous because firewalls often sit at the edge of enterprise networks. A compromised firewall can become a foothold for deeper network access, credential theft, traffic inspection, or stealthy persistence.

Item	Details
CVE ID	CVE-2026-0300
Product	Palo Alto Networks PAN-OS
Affected component	User-ID Authentication Portal, also known as Captive Portal
Vulnerability type	Buffer overflow, CWE-787 out-of-bounds write
Severity	Critical, CVSS 4.0 score of 9.3
Impact	Unauthenticated remote code execution with root privileges
Exploit status	Limited exploitation observed

Which systems are exposed?

The vulnerability affects PA-Series and VM-Series firewalls only when the vulnerable service and interface exposure conditions are present.

Administrators should check whether the User-ID Authentication Portal is enabled in transparent or redirect mode. They should also check whether an interface management profile with response pages enabled is attached to an L3 interface in a zone where untrusted or internet traffic can enter.

If both conditions are true, the device has the exposure path described in Palo Alto’s advisory. Organizations that restrict sensitive portals to trusted internal networks face significantly lower risk.

• The User-ID Authentication Portal must be enabled.
• The portal can run in transparent or redirect mode.
• An interface management profile must have response pages enabled.
• That profile must sit on an L3 interface reachable from an untrusted or internet-facing zone.
• The highest risk comes from portals exposed to the public internet or untrusted networks.

Affected PAN-OS versions

CVE-2026-0300 affects multiple PAN-OS release branches, including 10.2, 11.1, 11.2, and 12.1. Administrators should use Palo Alto’s official advisory to map their exact release branch to the right fixed build.

Several fixed builds are already listed, while some release-track fixes carry a May 28, 2026 target date in the advisory. Organizations should not wait for a preferred branch if a supported fixed version is already available for their environment.

Unsupported PAN-OS versions should move to a supported fixed release. Palo Alto Networks lists no required action for Prisma Access and Cloud NGFW, and says Panorama appliances are not impacted by this vulnerability.

Product or branch	Affected versions	Fixed guidance
PAN-OS 12.1	Versions earlier than 12.1.4-h5 or 12.1.7	Upgrade to 12.1.4-h5 or 12.1.7 or later where available
PAN-OS 11.2	Versions earlier than 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, or 11.2.12	Upgrade to the fixed build for the active release track
PAN-OS 11.1	Versions earlier than 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, or 11.1.15	Upgrade to the fixed build for the active release track
PAN-OS 10.2	Versions earlier than 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, or 10.2.18-h6	Upgrade to the fixed build for the active release track
Prisma Access	Not affected	No action needed for this CVE
Cloud NGFW	Not affected	No action needed for this CVE
Panorama	Not affected	No action needed for this CVE

Exploitation has already been observed

Palo Alto Networks says limited exploitation has targeted User-ID Authentication Portals exposed to untrusted IP addresses or the public internet. The company also marked the advisory as “attacked” and said the issue was discovered in production use.

Unit 42 is tracking a likely state-sponsored activity cluster exploiting the flaw. According to its threat brief, attackers used CVE-2026-0300 to achieve remote code execution in PAN-OS and inject shellcode into an nginx worker process.

Post-exploitation activity included public tunneling tools, Active Directory enumeration with credentials likely obtained from the firewall, and attempts to remove evidence. Unit 42 said the attackers cleared crash messages, deleted nginx crash records, and removed crash core dump files.

Why exposed firewalls are high-value targets

Perimeter firewalls are attractive targets because they sit between the internet and internal networks. They often process authentication flows, inspect traffic, and connect to identity systems.

If attackers gain root-level execution on a firewall, they may be able to tamper with logs, deploy tunneling tools, monitor traffic, steal credentials, or pivot toward internal services.

That risk increases when authentication portals or response pages face untrusted traffic. Even a feature that serves legitimate user authentication can become an entry point when exposed without strict access controls.

Mitigations for delayed patching

Palo Alto Networks recommends upgrading to a fixed PAN-OS version as the primary solution. If an organization cannot patch immediately, it should reduce exposure by restricting portal access and disabling risky response page paths.

The most important mitigation is to restrict User-ID Authentication Portal access to trusted zones only. Administrators should also disable response pages in the Interface Management Profile attached to every L3 interface where untrusted or internet traffic can enter.

If the User-ID Authentication Portal is not required, administrators should disable it. Customers with an Advanced Threat Prevention subscription can also enable Threat ID 510019 with the content version specified in Palo Alto’s current guidance.

1. Check whether User-ID Authentication Portal is enabled.
2. Confirm whether the portal is reachable from untrusted zones or the public internet.
3. Review Interface Management Profiles for response pages on exposed L3 interfaces.
4. Restrict portal access to trusted internal zones only.
5. Disable response pages on interfaces where untrusted traffic can ingress.
6. Disable User-ID Authentication Portal if the feature is not required.
7. Enable Threat ID 510019 if the firewall has the required subscription and supported PAN-OS version.
8. Upgrade to the appropriate fixed PAN-OS release as soon as possible.

Recommended incident response steps

Organizations with exposed Authentication Portals should treat the situation as more than a normal patching task. Since exploitation has already occurred in the wild, administrators should check for signs of compromise before and after remediation.

Security teams should review firewall logs, crash logs, authentication activity, and outbound connections from the firewall. They should also look for tunneling tools, unexpected processes, nginx worker anomalies, suspicious SAML activity, and evidence of log deletion.

If a device shows signs of compromise, teams should preserve evidence, isolate exposure, rotate credentials that touched the firewall, and contact incident response support. Rebuilding from a trusted image may be necessary in severe cases.

• Review portal exposure and public reachability.
• Check for unusual crash logs or missing crash records.
• Look for signs of shellcode injection or unusual nginx worker behavior.
• Search for tunneling tools such as EarthWorm or ReverseSocks5.
• Review Active Directory activity tied to firewall service accounts.
• Investigate unusual SAML traffic or authentication floods.
• Rotate firewall-linked service account credentials if compromise is suspected.
• Preserve logs before making disruptive changes where possible.

What administrators should do now

Administrators should first identify every PA-Series and VM-Series firewall running PAN-OS 10.2, 11.1, 11.2, or 12.1. They should then check whether the User-ID Authentication Portal is enabled and exposed to untrusted traffic.

Internet-facing portals should receive the highest priority. If a fixed build is available for the active branch, the device should move to that release after normal emergency change controls.

For branches where a preferred fixed build is not yet available, teams should apply Palo Alto’s exposure-reduction guidance immediately and monitor the advisory for the exact fixed version. Delaying both mitigation and patching leaves perimeter infrastructure exposed to an actively exploited zero-day.

FAQ