Critical Buffer Overflow in Palo Alto Networks PAN-OS User-ID Authentication Portal (CVE-2026-0300)

Laag (42/100): monitoren. Zwaarst wegend: gemeentelijke relevantie en technische ernst.

De priority_score is de Action Urgency Score: een gewogen combinatie van de technische ernst, de exploitatie en de gemeentelijke relevantie.

Overview On May 6, 2026, Palo Alto Networks published a security advisory for CVE-2026-0300 , a critical unauthenticated buffer overflow vulnerability affecting PAN-OS PA-Series and VM-Series firewall appliances. Prisma Access, Cloud NGFW, and Panorama appliances are not affected by this vulnerability. The vulnerability carries a CVSSv4 score of 9.3 and has been confirmed as exploited in the wild by the vendor. CVE-2026-0300 is a buffer overflow ( CWE-787 ) in the User-ID™ Authentication Portal (also known as Captive Portal), a non-default PAN-OS feature used to map IP addresses to usernames. An unauthenticated remote attacker can exploit this vulnerability by sending specially crafted packets to a device with the Authentication Portal enabled, achieving arbitrary code execution with root privileges on the affected firewall. No authentication or user interaction is required. Palo Alto Networks has confirmed limited exploitation in the wild targeting Authentication Portals exposed to either untrusted IP addresses or the public internet. No patches are currently available; fixed versions are expected to begin rolling out on May 13, 2026, with additional releases through May 28, 2026. PAN-OS is among the most widely deployed enterprise firewall operating systems in the world. Shodan identifies approximately 225,000 internet-facing PAN-OS instances, representing a significant attack surface. Rapid7 strongly urges all organizations running affected PAN-OS versions with the User-ID Authentication Portal enabled to apply the available workarounds immediately and prioritize patching as soon as fixed versions become available. Update #1: On May 6, 2026, CVE-2026-0300 was added to the U.S. Cybersecurity and Infrastructure Security Agency's (CISA) list of known exploited vulnerabilities (KEV), based on evidence of active exploitation. Palo Alto Networks Unit 42 also published a threat brief attributing observed exploitation to CL-STA-1132, a likely state-sponsored threat cluster that deployed open-source tunneling tools and conducted Active Directory enumeration following initial compromise. Mitigation guidance Organizations running PA-Series and VM-Series firewalls with the User-ID™ Authentication Portal enabled should apply the available workarounds immediately and prioritize patching as soon as fixed versions are released. Check the official documentation to establish whether the affected User-ID™ Authentication Portal is currently enabled. According to the Palo Alto Networks advisory, the following versions are affected by CVE-2026-0300: Product Affected Unaffected Fix ETA PAN-OS 12.1 < 12.1.4-h5 < 12.1.7 >= 12.1.4-h5 >= 12.1.7 05/13 05/28 PAN-OS 11.2 < 11.2.4-h17 < 11.2.7-h13 < 11.2.10-h6 < 11.2.12 >= 11.2.4-h17 >= 11.2.7-h13 >= 11.2.10-h6 >= 11.2.12 05/28 05/13 05/13 05/28 PAN-OS 11.1 < 11.1.4-h33 < 11.1.6-h32 < 11.1.7-h6 < 11.1.10-h25 < 11.1.13-h5 < 11.1.15 >= 11.1.4-h33 >= 11.1.6-h32 >= 11.1.7-h6 >= 11.1.10-h25 >= 11.1.13-h5 >= 11.1.15 05/13 05/13 05/28 05/13 05/13 05/28 PAN-OS 10.2 < 10.2.7-h34 < 10.2.10-h36 < 10.2.13-h21 < 10.2.16-h7 < 10.2.18-h6 >= 10.2.7-h34 >= 10.2.10-h36 >= 10.2.13-h21 >= 10.2.16-h7 >= 10.2.18-h6 05/28 05/13 05/28 05/28 05/13 As of May 13, 2026, the first round of patches has been published. Until the remaining awaited patches are available, Palo Alto Networks recommends one of the following workarounds: Restrict User-ID™ Authentication Portal access to only trusted internal zones. Refer to Step 6 of the Live Community article and the Knowledgebase article for instructions on restricting access. Disable User-ID™ Authentication Portal entirely if it is not required (Device > User Identification > Authentication Portal Settings > uncheck Enable Authentication Portal). Please refer to the vendor advisory for the latest guidance. Rapid7 customers Exposure Command, InsightVM, and Nexpose Exposure Command, InsightVM, and Nexpose customers can assess exposure to CVE-2026-0300 with authenticated vulnerability checks available in the May 6th, 2026 content release. Updates May 6, 2026 : Initial publication. May 7, 2026 : Updated overview to note the addition to CISA KEV and the Unit 42 threat brief attributing exploitation to CL-STA-1132. May 13, 2026 : Updated Mitigation guidance section to state that patches expected on May 13 have been published.