Home > Blog > Palo Alto Networks Addresses Critical PAN-OS Vulnerability CVE-2026-0300
News

Palo Alto Networks Addresses Critical PAN-OS Vulnerability CVE-2026-0300

By whois-secure May 14, 2026 4 views 3 min read

Overview of CVE-2026-0300

On May 6, 2026, Palo Alto Networks disclosed a critical vulnerability in its PAN-OS software, identified as CVE-2026-0300. This buffer overflow flaw resides in the User-ID™ Authentication Portal, a feature designed to authenticate users on a network. The vulnerability allows unauthenticated attackers to execute arbitrary code with root privileges on PA-Series and VM-Series firewalls by sending specially crafted packets. The flaw has been assigned a CVSS severity score of 9.3 out of 10, indicating its critical nature. Notably, this issue does not affect Cloud NGFW or Panorama appliances. ([cybernews.com](https://cybernews.com/news/palo-alto-networks-prepares-patches-for-critical-pan-os-firewall-zero-day/))

Technical Details and Exploitation

The vulnerability stems from a buffer overflow in the User-ID™ Authentication Portal. By sending specially crafted packets to the portal, an unauthenticated attacker can exploit this flaw to execute arbitrary code with root privileges. This level of access could allow attackers to take full control of the affected firewall, potentially leading to further network compromise. ([cybernews.com](https://cybernews.com/news/palo-alto-networks-prepares-patches-for-critical-pan-os-firewall-zero-day/))

Exploitation of CVE-2026-0300 has been observed in limited attacks targeting firewalls with the User-ID™ Authentication Portal exposed to untrusted IP addresses or the public internet. Palo Alto Networks has identified a likely state-sponsored threat group, tracked as CL-STA-1132, as responsible for these attacks. ([cybernews.com](https://cybernews.com/news/palo-alto-networks-prepares-patches-for-critical-pan-os-firewall-zero-day/))

Affected Products and Versions

The vulnerability affects PA-Series and VM-Series firewalls running specific versions of PAN-OS. The impacted versions include:

  • Versions prior to 12.1.4-h5
  • Versions prior to 12.1.7
  • Versions prior to 11.2.4-h17
  • Versions prior to 11.2.7-h13
  • Versions prior to 11.2.10-h6
  • Versions prior to 11.2.12
  • Versions prior to 11.1.4-h33
  • Versions prior to 11.1.6-h32
  • Versions prior to 11.1.7-h6
  • Versions prior to 11.1.10-h25

It's important to note that only firewalls with the User-ID™ Authentication Portal enabled and exposed to untrusted networks are vulnerable. ([cert.europa.eu](https://cert.europa.eu/publications/security-advisories/2026-006/pdf))

Mitigation and Patching

Palo Alto Networks has provided the following mitigation steps to reduce the risk of exploitation:

  • Restrict access to the User-ID™ Authentication Portal to trusted internal networks.
  • Disable the User-ID™ Authentication Portal if it is not in use.

These measures can significantly reduce the attack surface and mitigate the risk associated with this vulnerability. ([cybernews.com](https://cybernews.com/news/palo-alto-networks-prepares-patches-for-critical-pan-os-firewall-zero-day/))

The company has announced that patches addressing CVE-2026-0300 will be released in two phases:

  • First round of patches: Expected to be available on May 13, 2026.
  • Second round of patches: Estimated for May 28, 2026.

Administrators are strongly advised to apply these patches as soon as they become available to secure their systems against potential exploitation. ([cybernews.com](https://cybernews.com/news/palo-alto-networks-prepares-patches-for-critical-pan-os-firewall-zero-day/))

Impact Assessment

The exploitation of CVE-2026-0300 poses significant risks to organizations using affected Palo Alto Networks firewalls. Successful exploitation can lead to:

  • Complete control of the firewall by attackers.
  • Potential lateral movement within the network.
  • Exfiltration of sensitive data.
  • Disruption of network services.

Given the critical nature of this vulnerability and the potential for severe impact, it is imperative for organizations to assess their exposure and implement the recommended mitigations promptly. ([cybernews.com](https://cybernews.com/news/palo-alto-networks-prepares-patches-for-critical-pan-os-firewall-zero-day/))

Recommendations for Administrators

To protect against CVE-2026-0300, administrators should:

  • Identify whether their firewalls are running affected versions of PAN-OS.
  • Determine if the User-ID™ Authentication Portal is enabled and exposed to untrusted networks.
  • Implement the recommended mitigation steps immediately.
  • Monitor for the release of patches and apply them as soon as they are available.
  • Review firewall configurations to ensure that only necessary services are exposed to the internet.

By taking these actions, organizations can reduce the risk of exploitation and enhance the security of their network infrastructure. ([cybernews.com](https://cybernews.com/news/palo-alto-networks-prepares-patches-for-critical-pan-os-firewall-zero-day/))

Conclusion

The disclosure of CVE-2026-0300 underscores the importance of proactive vulnerability management and the need for organizations to stay vigilant against emerging threats. Palo Alto Networks' prompt response and the availability of mitigation measures provide a pathway for administrators to secure their systems. However, the responsibility lies with organizations to implement these measures and maintain a robust security posture.

For more detailed information and updates, refer to Palo Alto Networks' official security advisory. ([cybernews.com](https://cybernews.com/news/palo-alto-networks-prepares-patches-for-critical-pan-os-firewall-zero-day/))

Tags: Palo Alto Networks PAN-OS CVE-2026-0300 vulnerability cybersecurity
CyberEdge Learning
Level Up Your Cybersecurity Skills
Liked this article? Go deeper with hands-on training, certification prep, and real-world labs at CyberEdge Learning.
Start Free →