Critical Palo Alto firewall vulnerability is being exploited to gain root access

Palo Alto Networks has warned that attackers are exploiting a critical PAN-OS vulnerability that can give them root-level control of affected firewalls. The flaw is tracked as CVE-2026-0300 and affects PA-Series and VM-Series firewalls when the User-ID Authentication Portal is enabled and exposed to untrusted networks.

The vulnerability sits in the User-ID Authentication Portal, also known as Captive Portal. An unauthenticated attacker can send specially crafted network traffic to trigger a buffer overflow and execute code on the firewall with root privileges.

This makes the flaw especially urgent for administrators because firewalls sit at the edge of enterprise networks. If attackers take control of one, they may be able to intercept traffic, pivot deeper into the environment, steal credentials, or hide activity from normal monitoring tools.

What makes CVE-2026-0300 dangerous

CVE-2026-0300 has a CVSS 4.0 score of 9.3, which places it in the critical severity range. It requires no login, no user interaction, and no special conditions when the affected portal is exposed to the internet or another untrusted network.

Palo Alto Networks says limited exploitation has already been observed against exposed User-ID Authentication Portals. Unit 42 is tracking related activity as CL-STA-1132, a likely state-sponsored cluster that used the flaw for unauthenticated remote code execution.

After exploitation, the attackers reportedly injected shellcode into an nginx worker process, used tunneling tools, enumerated Active Directory, and deleted logs and other evidence. That post-exploitation behavior shows why the issue goes beyond patch management and should trigger compromise checks.

At a glance

Item	Details
CVE	CVE-2026-0300
Product	Palo Alto Networks PAN-OS
Affected systems	PA-Series and VM-Series firewalls
Affected feature	User-ID Authentication Portal, also known as Captive Portal
Severity	Critical, CVSS 4.0 score of 9.3
Impact	Unauthenticated remote code execution with root privileges
Exploitation status	Limited exploitation observed in the wild
Unaffected products	Prisma Access, Cloud NGFW, and Panorama

Which firewalls are exposed

The vulnerability does not affect every Palo Alto firewall by default. A firewall becomes exposed when the User-ID Authentication Portal is enabled and reachable from an untrusted or internet-facing interface.

Palo Alto Networks says administrators can check this setting under Device, then User Identification, then Authentication Portal Settings. They should also review interface management profiles for response pages on external or untrusted Layer 3 interfaces.

Prisma Access, Cloud NGFW, and Panorama appliances are not affected. The risk centers on PA-Series and VM-Series firewalls running affected PAN-OS versions with the portal reachable from outside trusted internal networks.

Affected PAN-OS versions

PAN-OS branch	Affected versions	Fixed versions or scheduled fixes
PAN-OS 10.2	Versions below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6	Fixes scheduled across May 13 and May 28, 2026
PAN-OS 11.1	Versions below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, and 11.1.15	Fixes scheduled across May 13 and May 28, 2026
PAN-OS 11.2	Versions below 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, and 11.2.12	Fixes scheduled across May 13 and May 28, 2026
PAN-OS 12.1	Versions below 12.1.4-h5 and 12.1.7	Fixes scheduled across May 13 and May 28, 2026

Attackers used the firewall as a network foothold

Unit 42 says exploitation activity began with unsuccessful attempts on April 9, 2026. About a week later, attackers achieved remote code execution on a targeted device and started removing crash records, nginx entries, and other traces.

The activity later included open-source tunneling tools such as EarthWorm and ReverseSocks5. These tools can help attackers route traffic through a compromised system and reach internal network resources from an external position.

The attackers also performed Active Directory enumeration using credentials likely obtained from the firewall. That detail matters because a compromised edge device can become a bridge from perimeter access to identity infrastructure.

What administrators should do now

• Check whether User-ID Authentication Portal is enabled on PA-Series or VM-Series firewalls.
• Confirm whether the portal is reachable from the internet or another untrusted network.
• Restrict portal access to trusted internal zones only.
• Disable User-ID Authentication Portal if the organization does not require it.
• Disable response pages on external or untrusted Layer 3 interfaces where they are not needed.
• Enable Threat ID 510019 if Threat Prevention or Advanced Threat Prevention is licensed and the firewall supports it.
• Plan upgrades to the fixed PAN-OS releases as soon as Palo Alto Networks makes them available for the relevant branch.
• Review firewall logs, crash files, authentication activity, and Active Directory queries for signs of compromise.

Why this needs more than a normal patch cycle

CISA added CVE-2026-0300 to its Known Exploited Vulnerabilities catalog after evidence of active exploitation. That means defenders should treat the issue as an active incident risk rather than a routine vulnerability ticket.

Organizations should not wait only for fixed builds if the Authentication Portal is exposed. The immediate priority is reducing exposure by limiting portal access to trusted internal networks or disabling the feature entirely.

Security teams should also check whether attackers already reached affected appliances. Palo Alto Networks reported log deletion and post-exploitation activity in observed attacks, so a quiet firewall does not automatically mean a clean firewall.

FAQ