Palo Alto PAN-OS 0-Day Exploited to Execute Arbitrary Code With Root Privileges on Firewalls

HomeCyber Security Palo Alto PAN-OS 0-Day Exploited to Execute Arbitrary Code With Root Privileges on Firewalls By Guru Baran May 14, 2026 A critical vulnerability in Palo Alto Networks PAN-OS is putting enterprise firewalls at risk, allowing unauthenticated attackers to execute arbitrary code with root privileges. Tracked as CVE-2026-0300, the flaw affects the User-ID Authentication Portal (Captive Portal) and has already seen limited real-world exploitation, particularly in environments where the service is exposed to the internet. The vulnerability stems from a buffer overflow issue (CWE-787) in the authentication portal component. By sending specially crafted packets, attackers can exploit the flaw without authentication, potentially gaining full control over affected PA-Series and VM-Series firewalls. Given that these devices often sit at the network perimeter, successful exploitation could lead to complete network compromise. Security researchers and Palo Alto Networks warn that the risk is highest when the User-ID Authentication Portal is accessible from untrusted networks or the public internet. According to the advisory, organizations that follow best practices, such as restricting portal access to trusted internal IP addresses, face significantly lower risk. Affected Versions The vulnerability impacts multiple PAN-OS versions, including 10.2, 11.1, 11.2, and 12.1 releases prior to specific patched builds. Notably, Prisma Access, Cloud NGFW, and Panorama appliances remain unaffected. However, exploitation is only possible when certain configurations are in place: The User-ID Authentication Portal is enabled (either transparent or redirect mode). A management interface profile with “response pages” enabled is attached to an interface exposed to untrusted or internet-facing zones. This combination creates an externally reachable attack surface, allowing threat actors to trigger the buffer overflow remotely. CVE-2026-0300 carries a CVSS score of 9.3 (Critical), reflecting its ease of exploitation and severe impact. Palo Alto confirms that limited exploitation attempts have already been observed in the wild, primarily targeting exposed authentication portals. Even in cases where direct internet exposure is absent, attackers on adjacent networks may still exploit the flaw, lowering the attack complexity in lateral movement scenarios. Patches and Mitigation Palo Alto Networks has released patches across affected versions, with additional fixes scheduled for rollout by May 28, 2026. Organizations are strongly advised to upgrade immediately to fixed versions such as: PAN-OS 12.1.4-h5 or 12.1.7+ PAN-OS 11.2.4-h17, 11.2.7-h13, or 11.2.12+ PAN-OS 11.1.4-h33, 11.1.6-h32, or 11.1.15+ PAN-OS 10.2.7-h34 or 10.2.18-h6+ For environments where patching is delayed, Palo Alto recommends the following mitigations: Restrict User-ID Authentication Portal access to trusted internal networks only. Disable response pages on interfaces exposed to untrusted traffic. Completely disable the authentication portal if not required. Enable Threat ID 510019 (Applications and Threats version 9097-10022) for detection and blocking. This vulnerability highlights a recurring issue in perimeter security appliances—misconfigured or exposed management and authentication services becoming high-value targets. With attackers actively scanning for exposed portals, organizations must treat externally accessible firewall services as critical attack surfaces. As exploitation activity continues to evolve, timely patching and strict access controls remain the most effective defenses against this high-impact flaw. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News Malicious Chrome MV3 Extension Impersonates TronLink to Steal Crypto Wallet Credentials SAP Patches Critical SQL injection Vulnerability in SAP S/4HANA How Top SOCs and MSSPs Prevent Phishing Incidents Missed by Email Filters  PoC Exploit Released for Android 0-Click Vulnerability that Enables Remote Shell Access OpenAI Daybreak Automates Vulnerability Detection and Fixing Latest News Cyber Security News OpenAI Hit with Class-Action Privacy Lawsuit for Sharing ChatGPT Data with Google and Meta Cyber Security News Langflow CVE-2026-33017 Exploited to Steal AWS Keys and Deploy NATS Worker Cyber Security News Packagist Urges Immediate Composer Update After GitHub Actions Token Leak Cyber Security News Seedworm APT Abuses Signed Fortemedia and SentinelOne Binaries for DLL Sideloading Cyber Security News Windows DNS Client Vulnerability Enables Remote Code Execution Attacks