PALO Alto Networks has warned of a critical PAN-OS flaw, tracked as CVE-2026-0300, that is being actively exploited in the wild and carries a CVSS score of 9.3. The advisory describes a buffer overflow in the User-ID Authentication Portal (the Captive Portal) service that allows an unauthenticated remote code execution with root privileges on PA-Series and VM-Series firewalls when the portal is exposed to the internet.
According to Palo Alto Networks, the risk is greatly reduced if access to the User-ID Portal is restricted to trusted internal IP addresses and standard security best practices are followed. The vendor states that the issue does not impact Prisma Access, Cloud NGFW or Panorama appliances, and that exploitation has been observed mainly against systems exposed to untrusted IP addresses or the public internet.
A fixes ETA has been announced for 13 May 2026, with protections expected for affected PAN-OS versions depicted in the advisory. The advisory urges organisations to limit access to sensitive portals and to apply the updates as they become available to mitigate the risk.