Critical Alert: CVE-2026-0300 in PAN-OS allows remote code execution and total control of PA-Series and VM-Series

Palo Alto Networks has confirmed the exploitation in real environments of a critical vulnerability in PAN-OS that allows remote execution of code without authentication on the user-ID Authentication Portal service (known as Captive Portal). Weakness, recorded as CVE-2026-0300, allows an attacker to send specially built packages to cause buffer overflow and to run root code privileges in PA-Series and VM-Series settings to use that portal.

The gravity of the failure is high: if the portal is accessible from the Internet or from unreliable networks the CVSS score is reached 9.3, while if your exposure is limited only to internal IP addresses and confidence low to 8.7. Palo Alto Networks describes the operation as "limited" so far, but the fact that the vector is a frequently exposed user interface implies a high risk for organizations that have not applied strict access controls.

The devices concerned include multiple branches of PAN-OS (versions 10.2, 11.1, 11.2 and 12.1) below certain patches; the exact list and the planned patch dates are available in the manufacturer's safety notice. Palo Alto has announced that it will release corrections from May 13, 2026, so in the meantime active mitigation is the first line of defense. For technical details and the CVE reference, see the national vulnerability database in https: / / nvd.nist.gov / vuln / detail / CVE-2026-0300 and the Palo Alto ad portal in https: / / security.paloaltonetworks.com /.

The practical implications go beyond a single local failure: a successful explosion opens the door to total firewall control, which can result in policy evasion, lateral movement within the network, exfiltration of data or installation of persistent back doors. In addition, the existence of public instances of authentication portals - often used for captive portals in Wi-Fi environments or for integrating user authentication - makes many organizations particularly attractive targets for attackers seeking to jump the perimeter defense.

While the official patch is expected, priority preventive measures are clear and should be implemented immediately. If the User-ID Authentication Portal is not necessary, disrespect. If necessary, limit its scope only to internal trusted IP areas and ranges through access control lists (ACL), administrative security rules and network segmentation; avoid exposing it to the Internet. Strengthen access controls to the firewall management plane and apply IP and VPN-based restrictions for any remote management access.

In addition, apply operational controls: review records and telemetry in search of unusual connections or malformed packages directed at the service of the portal, and immediately isolate any application that presents signs of commitment, change administrative credentials and, if appropriate, restore from clean known images. Integrate these actions into your incident response playbook and notify the Palo Alto support team to get assistance and patches as soon as they are available.

For security teams that manage large inventories or distributed environments, it is critical to quickly identify exposed instances: audit Internet-accessible gateway and portals, use authorized scanning and firewalls configuration reviews, and coordinate with managed service providers to confirm that there are no vulnerable endpoints. Maintaining a minimum exposure policy and routinely applying safety updates significantly reduces the risk window against such explosions.

Finally, remember that technical mitigation should be accompanied by communication and governance: report to internal stakeholders on risk, prioritize critical assets for the application of patches and document risk compensation decisions. The vulnerability CVE-2026-0300 stresses that even "user access" interfaces can become critical compromise vectors when exposed without adequate controls.