Palo Alto Networks firewall flaw has been exploited for several weeks

A critical PAN-OS vulnerability affecting the User-ID Authentication Portal is being actively exploited to achieve unauthenticated remote code execution with root privileges on exposed firewalls. Credit: Ken Wolter / Shutterstock Palo Alto Networks is warning customers about a critical buffer overflow vulnerability affecting its PAN-OS user-ID authentication portal that is already being exploited in the wild. The flaw allows attackers to execute arbitrary code with root privileges on exposed firewalls, the company said in a security advisory. PAN-OS is the software that runs all Palo Alto Networks next-generation firewalls. “This issue is applicable only to PA-Series and VM-Series firewalls that are configured to use User-ID Authentication Portal,” the company added. “Prisma Access, Cloud NGFW, and Panorama appliances are not impacted by this vulnerability.” The advisory noted that “limited exploitation” was seen targeting authentication portals exposed to untrusted IP addresses and the public internet. Customers restricting these portals to trusted internal networks are safe. The issue is awaiting a fix in the upcoming releases of PAN-OS, and users were requested to apply workarounds and mitigations in the meantime. Root access through a firewall login portal The flaw, tracked as CVE-2026-0300, carries a CVSS score of 9.3 in internet-exposed deployments and has been classified as an out-of-bounds write vulnerability, mapped to CWE-787. According to Palo Alto Networks, the issue allows unauthenticated attackers to execute arbitrary code with root privileges on affected devices. The flaw only impacts PAN-OS deployments where User-ID Authentication Portal is enabled. Affected versions span multiple PAN-OS release branches, including 10.2,11.1, and 12.1 releases prior to patched builds scheduled for rollout in May. Wiz researcher Merav Bar said the Google-owned research firm found a total 7% of environments having publicly exposed PAN-OS instances. However, how many of them have the affected portal enabled is not known. “Since this portal utilizes ports 6081 and 6082, the exposure of these specific ports is the primary metric for exploitability,” she added in a blog post. “Currently, Shodan identifies 67 exposed PAN-OS servers on port 6081, with none detected on port 6082.” The vulnerability has also attracted government attention. The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2026-0300 to its known Exploited Vulnerabilities (KEV) catalog shortly after the disclosure, while multiple national cybersecurity agencies warned organizations to assume further exploitation is likely. Mitigations first, patches shortly after While Palo Alto Networks has announced fixes for affected PAN-OS branches, the company is urging customers to immediately reduce exposure rather than wait for patch windows. The vendor said the most important mitigation is restricting access to the User-Id Authentication Portal so it is reachable only from trusted internal IP addresses. Organizations that do not rely on the Captive Portal feature are being advised to disable it entirely. Palo Alto also recommended disabling Response Pages on interfaces exposed to untrusted traffic while keeping them enabled only on trusted internal interfaces where legitimate users connect. For customers with Threat Prevention subscriptions, Palo Alto said attacks can additionally be blocked using Threat ID 510019 included in Applications and Threats content version 9097-10022, though decoder support requires PAN-OS 11.1 or later. Vulnerabilities Security