Security Intelligence
Loading table of contents...
At a glance: Palo Alto Networks has disclosed an actively exploited unpatched vulnerability (zero-day) that allows an external threat actor to take full control of affected firewalls without authentication. Because the flaw targets a core perimeter security control, successful exploitation can undermine network trust, enable silent monitoring of traffic, and expose internal systems to wider compromise. With active exploitation confirmed, a public exploit available, and vendor patches not yet available, organizations with affected firewalls face immediate risk until fixes and mitigations are applied.
Threat summary
On May 5, 2026, Palo Alto Networks disclosed a newly discovered zero-day vulnerability affecting its PAN-OS firewall operating system. The company confirmed limited exploitation in the wild at the time of disclosure, with activity focused on systems accessible from untrusted networks.
The flaw, tracked as CVE-2026-0300 and scored 9.3 under the Common Vulnerability Scoring System (CVSS) version 4.0, is a buffer overflow in the User‑ID Authentication Portal, also known as the Captive Portal service. PAN-OS uses this portal to authenticate users whose identities cannot be automatically mapped to an Internet Protocol address, commonly in guest, contractor, or bring-your-own-device environments.
The flaw is an out‑of‑bounds write (CWE-787) caused by insufficient validation of incoming data length in the User‑ID Authentication Portal service. By sending a malicious request, a threat actor can cause the firewall to overwrite memory and execute code with root privileges. Exploitation does not require authentication or user interaction. Once a perimeter firewall is compromised in this way, it can no longer be relied on to enforce security controls and may be used to monitor traffic, steal credentials, move laterally into internal systems, or maintain long-term access.
CVE-2026-0300 applies only to PA-Series hardware firewalls and VM‑Series virtual firewalls where the User-ID Authentication Portal is enabled and reachable from untrusted or internet-facing networks. On such exposed systems, the vulnerability enables unauthenticated remote code execution with the highest level of system privileges.
The affected branches are:
- PAN-OS 10.2 below 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, 10.2.18-h6
- PAN-OS 11.1 below 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, 11.1.15
- PAN-OS 11.2 below 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, 11.2.12
- PAN-OS 12.1 below 12.1.4-h5, 12.1.7
Palo Alto Networks stated that Prisma Access, Cloud Next-Generation Firewall (Cloud NGFW), and Panorama appliances are not impacted by this vulnerability.
A public proof-of-concept exploit was published, also on May 6, showing how an unauthenticated request to the User-ID Authentication Portal can reliably trigger the buffer overflow and achieve root-level RCE on affected PAN-OS versions. While the repository is framed as research code and includes legal disclaimers, it materially lowers the barrier to exploitation by validating exploit mechanics.
Palo Alto Networks has not shared details about who is behind the attacks and has not released indicators of compromise at the time of writing.
Analysis
Until security patches are fully available, reducing exposure is the most effective way to contain risk. Palo Alto Networks recommends limiting access to the User-ID Authentication Portal so it is reachable only from trusted internal Internet Protocol addresses. Any firewall where this portal is accessible from the internet or other untrusted networks remains exposed to active exploitation.
If the User-ID Authentication Portal is not required for business operations, Palo Alto Networks recommends disabling it entirely. Firewalls that do not have the Authentication Portal enabled are not affected by this vulnerability.
The configuration can be reviewed under *Device > User Identification > Authentication Portal Settings*, and any externally reachable portal should be treated as an urgent remediation priority.
Palo Alto Networks has stated that security fixes will be released in stages between May 13-28, depending on the PAN‑OS version in use. In advance of these patches, Palo Alto released a Threat Prevention signature on May 5 for PAN-OS 11.1 and newer to help detect or block exploitation attempts. Applying this signature, where supported, provides interim protection but does not replace the need to reduce exposure and deploy patches once available.
For security teams, immediate focus should be on identifying PA-Series and VM-Series firewalls with the User-ID Authentication Portal enabled, confirming whether those services are reachable from untrusted networks, and scheduling timely deployment of Palo Alto’s fixes as they are released. Monitoring unexpected firewall behavior or unplanned configuration changes provides additional awareness during the period of active exploitation.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
