CISA warns of critical vulnerability in Palo Alto firewalls
CISA adds CVE-2026-0300 to KEV Catalog: Critical Root RCE vulnerability impacting Palo Alto Networks PAN-OS
CISA today, May 6, 2026 added a new flaw to the actively exploited vulnerabilities catalog. CVE-2026-0300 affects Palo Alto Networks PAN-OS firewalls and allows remote code execution without authentication. Organizations need to act quickly to protect their networks.
Vulnerability Details
- Identifier: CVE-2026-0300
- Product Affected: Palo Alto Networks PAN-OS
- Failure Type: Out-of-bounds Write
This buffer overflow vulnerability in the User-ID authentication portal represents a high risk for companies that use this exposed equipment. Experts recommend immediate mitigations until official patches arrive for all versions.
Understanding the technical details and practical actions can avoid serious compromises. This article explains what's happening, who's exposed, and how to respond effectively.
- CVE-2026-0300 allows unauthenticated attackers to execute code with root privileges on PA-Series and VM-Series firewalls.
- CISA requires remediation by May 9, 2026 for US federal agencies.
- Disabling the User-ID Authentication Portal or restricting access is the most urgent measure.
- Firewalls exposed on the internet are a prime target for active exploits.
- PAN-OS updates are in development, but workarounds work now.
Understanding CVE-2026-0300 on PAN-OS
The flaw resides in the User-ID Authentication Portal service, also known as Captive Portal. Attackers send specially crafted packets that cause an out-of-bounds write, allowing arbitrary code execution with maximum privileges.
No login or user interaction required. Any firewall with the gateway enabled and accessible from untrusted networks is vulnerable. The CVSS score reaches 9.3 when publicly displayed.
Why this vulnerability is so dangerous
Palo Alto firewalls act as entry and exit points for corporate networks. A root compromise allows attackers to modify rules, monitor traffic, or use the device as a pivot for insider attacks.
Active exploration has already been confirmed, which increases the urgency. Unlike theoretical flaws, this one is already being used by malicious actors in real campaigns.
Technical analysis
The issue is classified as CWE-787 (Out-of-bounds Write). Buffer overflow occurs during packet processing in the authentication service, allowing overwriting adjacent memory and injecting shellcode.
Main technical aspects:
- Attack vector: network, no authentication (AV:N/AC:L/PR:N/UI:N).
- Impact: Rooted code execution on affected device.
- Affected component: User-ID Authentication Portal on PAN-OS.
- Impacted versions: multiple releases of PAN-OS on PA-Series and VM-Series hardware.
- Temporary mitigation: Restrict access to trusted zones only or disable the portal.
Two relevant insights: First, the Captive Portal is often enabled by default in guest Wi-Fi or VPN scenarios, increasing the attack surface without administrators realizing it. Second, granting root access turns the firewall into a complete single point of failure for the entire network security infrastructure.
Comparison with other recent firewall vulnerabilities
| Vulnerability | Supplier | Type | Risk Level | Main Mitigation |
|---|---|---|---|---|
| CVE-2026-0300 | Palo Alto | Buffer Overflow (RCE root) | Critical (9.3) | Restrict/Disable Portal |
| CVE-2024-1708 | ConnectWise | Path Traversal | High | Update + Restriction |
| CVE-2026-31431 | Linux Kernel | Resource Transfer | Moderate to High | Kernel Update |
While other flaws require specific credentials or conditions, CVE-2026-0300 stands out for its simplicity of exploitation and full impact on the device.
Risks and limitations of protective measures
Disabling the User-ID Portal may impact legitimate functionality, such as user authentication on guest networks. Not all organizations can do this without planning.
Cloud or Prisma Access environments have different status, but on-premises instances remain exposed. The lack of immediate patching for all versions creates a window of risk that requires constant monitoring.
Additionally, smaller IT teams may underestimate exposure if they do not perform regular port and service scans.
Practical recommendations for administrators
Immediately check whether the Captive Portal is enabled and accessible from the internet. Apply official Palo Alto workarounds while waiting for updates.
Monitor logs for suspicious packets targeting the User-ID service. Consider managed threat detection solutions to gain additional visibility.
Learn more about protecting firewalls.
Final opinion and perspectives
This addition to CISA's KEV catalog reinforces the need to treat firewalls as critical assets that require constant attention. CVE-2026-0300 isn't just another flaw — it exposes how ancillary services can compromise your entire security posture.
Companies that invest in visibility, segmentation and rapid response will be better prepared for similar threats in the future. Fast patches and secure default configurations should be a priority for manufacturers.
Immediate action is essential
The CVE-2026-0300 vulnerability in PAN-OS requires an urgent response from all organizations using Palo Alto firewalls. With active exploits confirmed, the time to mitigate is now.
In the future, we expect security solutions to evolve to reduce unnecessary attack surfaces. For now, the combination of workarounds, monitoring and planned updates offers the best path to effective protection.
Source: CISA (Cybersecurity & Infrastructure Security Agency)
Published on: May 6, 2026
People also ask
What is CVE-2026-0300?
It allows root RCE (arbitrary code execution with root privileges) by an unauthenticated attacker via specially crafted packets. It is being actively exploited.
Summary: Unauthenticated root RCE in Palo Alto firewalls (PA-Series/VM-Series).
