PALO Alto Networks has warned of a critical buffer overflow in PAN-OS’s User-ID Authentication Portal (captured as CVE-2026-0300) that enables unauthenticated remote code execution on PA-Series and VM-Series firewalls. The vulnerability carries a CVSS score of 9.3 when the portal is exposed to the internet or an untrusted network, and 8.7 if access is limited to trusted internal IPs.
According to Palo Alto Networks, the flaw is already under limited exploitation, targeting instances where the User-ID Authentication Portal is publicly accessible, with PAN-OS versions affected including 12.1, 11.2, 11.1 and 10.2 families listed in the advisory. The issue is unpatched at present, with fixes slated to begin rolling out from 13 May 2026. In the meantime, customers are advised to restrict access to the User-ID Authentication Portal to trusted zones or disable the portal if not required.