editorially independent. We may make money when you click on links
to our partners.
Learn More
Palo Alto Networks recently disclosed a firewall vulnerability that is already being exploited in the wild.
The flaw affects the PAN-OS User-ID Authentication Portal and could allow unauthenticated attackers to remotely execute code with root privileges on vulnerable devices.
This vulnerability “… allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets,” said Palo Alto Networks in its advisory.
Inside CVE-2026-0300
The vulnerability affects PA-Series and VM-Series firewalls configured to use the PAN-OS User-ID Authentication Portal, also known as the Captive Portal.
This feature is used in enterprise environments to authenticate users whose identities cannot be automatically mapped by the firewall.
How the PAN-OS Vulnerability Works
The flaw (CVE-2026-0300) is caused by a buffer overflow vulnerability in the User-ID Authentication Portal service.
Attackers can exploit the issue by sending specially crafted packets to vulnerable devices, potentially allowing arbitrary code execution with root privileges.
Because the vulnerability can be exploited remotely without authentication and may allow root-level access, it poses a larger risk to internet-facing firewall deployments.
Successful exploitation could allow attackers to compromise affected firewalls and gain access to internal networks, traffic flows, authentication systems, and other connected resources.
Prisma Access, Cloud NGFW, and Panorama appliances are not affected. However, organizations using vulnerable PA-Series or VM-Series deployments may be exposed if the Authentication Portal is internet-accessible.
Internet monitoring organization Shadowserver Foundation also reported that more than 5,800 PAN-OS VM-Series firewalls are currently exposed online, with many located in Asia and North America.
At the time of publication, Palo Alto Networks had not released a patch for CVE-2026-0300, leaving organizations to rely on temporary mitigations and reduced internet exposure while exploitation activity continues.
How Organizations Can Reduce Risk
Organizations using affected Palo Alto Networks firewalls should reduce exposure by limiting internet access to the Authentication Portal and increasing monitoring of exposed systems while a permanent fix remains unavailable.
Security teams should also review their external attack surface and assess whether any vulnerable devices may have already been compromised.
- Restrict the User-ID Authentication Portal to trusted internal IP addresses, VPN ranges, or segmented administrative networks whenever possible.
- Disable the Authentication Portal entirely if organizations cannot securely limit exposure to trusted zones.
- Conduct external attack surface reviews to identify exposed PA-Series or VM-Series firewalls, including forgotten cloud deployments or test environments.
- Increase logging and monitoring for unusual authentication portal traffic, service crashes, configuration changes, suspicious outbound connections, or unexpected root-level activity.
- Apply compensating controls such as upstream filtering, IPS protections, additional access controls, and network segmentation to limit potential lateral movement.
- Perform proactive threat hunting on internet-exposed systems to determine whether exploitation may have already occurred before mitigations were implemented.
- Test incident response plans and use attack simulation tools with scenarios around firewall compromise and privilege escalation.
Together, these measures can help organizations reduce exposure, improve detection capabilities, and build operational resilience.
Edge Devices Remain Prime Targets
The disclosure comes amid continued targeting of internet-facing edge devices by threat actors seeking initial access into enterprise environments.
Firewalls, VPN platforms, and remote access appliances have remained attractive targets because they combine external accessibility with privileged access to internal systems and authentication workflows.
The continued targeting of edge infrastructure is also driving organizations to adopt zero trust solutions that help reduce implicit trust and limit the blast radius of compromised edge devices.
