RAPID7 CYBERSECURITY BLOG
Critical Buffer Overflow in Palo Alto Networks PAN-OS User-ID Authentication Portal (CVE-2026-0300)
Strategic summary
A critical buffer overflow vulnerability (CVE-2026-0300) in the Palo Alto Networks PAN-OS User-ID Authentication Portal allows unauthenticated attackers to execute arbitrary code with root privileges. The vulnerability is being actively exploited in the wild, but no patches are available yet. PA-Series and VM-Series firewalls with the portal enabled are affected, which could be relevant for many manufacturing companies in the DACH region. Organizations should immediately apply the provided workarounds and prioritize patching as soon as fixes are released.
Key findings
- The vulnerability is actively exploited in the wild and has been added to CISA’s Known Exploited Vulnerabilities catalog.
- Attackers can gain root access without authentication, initial attacks use open-source tunneling tools and conduct Active Directory enumeration.
- No patches are available yet, fixes are expected between May 13 and May 28, 2026, workarounds must be implemented immediately.
- Worldwide, approximately 225,000 internet-facing PAN-OS instances have been identified, presenting a large attack surface.
- Affected versions: PAN-OS 12.1 and 11.2, organizations must verify the configuration of the Authentication Portal.