- A critical buffer overflow vulnerability (CVE-2026-0300) in the PAN-OS User-ID Authentication Portal is under limited exploitation
- The flaw allows unauthorized code execution with root privileges on vulnerable firewalls
- Palo Alto advised restricting portals to trusted networks; corrections are due on 13 May 2026
The PAN-OS User-ID Authentication Portal, a feature of Palo Alto Networks firewalls that identifies and authenticates users on a network, contains a critical severity zero-day vulnerability that is being exploited in limited attacks, the company has warned.
The flaw is described as a buffer overflow vulnerability that allows unauthorized threat actors to run arbitrary code with root privileges on PA-series and VM-series firewalls via specially crafted packets.
It is tracked as CVE-2026-0300 and received a severity score of 9.3/10 (Critical). It only works against endpoints exposed to the public internet.
Guidance and patches
“Limited exploitation has been observed targeting Palo Alto Networks User-ID™ Authentication Portals exposed to untrusted IP addresses and/or the public Internet,” Palo Alto explained in a security advisory.
“Customers who follow standard security best practices, such as limiting sensitive portals to trusted internal networks, have a greatly reduced risk.”
In a further statement shared Bleeping Computerthe company said the vulnerability was specific to a “limited number” of customers with their authentication portals exposed to the public Internet or untrusted IP addresses. “We have observed limited exploitation of this issue and are working to release software fixes, with the first updates expected to be available on May 13, 2026,” the company told the publication.
“We have provided clear guidance to our customers to secure their environments immediately. This issue does not affect Cloud NGFW or Panorama appliances.”
Users who are unsure whether they have been exposed or not can see if their firewalls are configured to use the vulnerable service from the Settings page. They can navigate to Device – User Identification – Authentication Portal Settings – Enable Authentication Portal. Access to the portal should be restricted to trusted zones only or even disabled if possible, Palo Alto said.
According to Shadowserver data, there are currently 5,800 PAN-OS VM-series firewalls exposed online. The majority are located in Asia (2,466), with a significant minority in North America (1,988).
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
