Actively exploitedCVSS 9.8 · CRITICAL

CVE-2026-0300

Palo Alto Networks PAN-OS contains an out-of-bounds write vulnerability in the User-ID Authentication Portal (aka Captive Portal) service that can allow an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.

View on NVD

Analysis

A critical vulnerability in Palo Alto Networks PAN-OS firewalls allows unauthenticated attackers to execute arbitrary code with root privileges. This issue is confirmed to be actively exploited in the wild. Admins should prioritize patching PA-Series and VM-Series appliances or restricting Authentication Portal access to trusted internal IP addresses immediately.

Severity

Score: 9.8(CRITICAL)

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AV: NETWORK

AC: LOW

PR: NONE

UI: NONE

S: UNCHANGED

C: HIGH

I: HIGH

A: HIGH

Weakness (CWE): CWE-787

CISA KEV

Added to KEV: 2026-05-06

Federal patch deadline: 2026-05-09

Known ransomware use: Unknown

Required action

Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Until the vendor releases an official fix, the following workaround should be implemented: - Restrict User-ID Authentication Portal access to only trusted zones. - Disable User-ID Authentication Portal if not required. 5/13/2026: Palo Alto has released a variety of patches. If these are relevant to your environment, please apply the designated patch.

EPSS

Probability of exploitation (next 30 days): 0.1443 (14.4%)

Percentile: 94.5%

EPSS: 2026-05-20

Affects

paloaltonetworks:pan-ospaloaltonetworks:pa-1410paloaltonetworks:pa-1420paloaltonetworks:pa-3410paloaltonetworks:pa-3420paloaltonetworks:pa-3430paloaltonetworks:pa-3440paloaltonetworks:pa-410paloaltonetworks:pa-410rpaloaltonetworks:pa-410r-5gpaloaltonetworks:pa-415paloaltonetworks:pa-415-5gpaloaltonetworks:pa-440paloaltonetworks:pa-445paloaltonetworks:pa-450paloaltonetworks:pa-450rpaloaltonetworks:pa-450r-5gpaloaltonetworks:pa-455paloaltonetworks:pa-455-5gpaloaltonetworks:pa-455r-5gpaloaltonetworks:pa-460paloaltonetworks:pa-501paloaltonetworks:pa-505paloaltonetworks:pa-510paloaltonetworks:pa-520paloaltonetworks:pa-540paloaltonetworks:pa-5410paloaltonetworks:pa-5420paloaltonetworks:pa-5430paloaltonetworks:pa-5440paloaltonetworks:pa-5445paloaltonetworks:pa-545-poepaloaltonetworks:pa-5450paloaltonetworks:pa-550paloaltonetworks:pa-5540paloaltonetworks:pa-555-poepaloaltonetworks:pa-5550paloaltonetworks:pa-5560paloaltonetworks:pa-5570paloaltonetworks:pa-5580paloaltonetworks:pa-560paloaltonetworks:pa-7500paloaltonetworks:pa-7500-dpc-apaloaltonetworks:vm-100paloaltonetworks:vm-300paloaltonetworks:vm-50paloaltonetworks:vm-500paloaltonetworks:vm-700siemens:ruggedcom_ape1808_firmwaresiemens:ruggedcom_ape1808

Technical description

A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines https://knowledgebase.paloaltonetworks.com/KCSArticleDetail by restricting access to only trusted internal IP addresses. Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.

Published: 5/6/2026, 7:16:35 PM

Last modified: 5/12/2026, 6:47:21 PM

References

How to read this card

Actively exploited

KEV (Known Exploited Vulnerabilities) is CISA's catalog of CVEs confirmed as actively exploited in the real world. If a CVE is on KEV, someone is already using it in attacks.

CVSS 10.0

CVSS 10.0 — máxima severidad teórica. Explotable de forma remota, sin privilegios, con impacto total. Aún no confirmada como explotada en el mundo real, pero parchea ya.

AI-recommended

Un modelo de lenguaje revisó el CVE y consideró que afecta a software ampliamente desplegado o herramientas comunes de desarrollo. Un humano del equipo aprobó la publicación antes de que llegara aquí.

Categorías de impacto que evalúa la IA

widely_deployed_infra — kernel Linux, OpenSSL, glibc, k8s, Docker, nginx, OpenSSH.

popular_dev_tooling — Node.js, Python, Go, React, Next.js, librerías comunes de npm/pip.

common_consumer_software — Chrome, Firefox, Windows, macOS, apps móviles populares.

enterprise_saas — GitHub, GitLab, Atlassian, Salesforce, Cisco, Fortinet, Ivanti.

niche_software — CMS regionales, herramientas de hobby, librerías de poco uso.

not_relevant — firmware específico de proveedor, software descontinuado.

EPSS — EPSS (Exploit Prediction Scoring System) by FIRST.org estimates the probability that a CVE will be exploited in the next 30 days. Range is 0 to 1; very fresh CVEs typically score low until evidence accumulates.