ON 6 May 2026, Palo Alto Networks published a security advisory for CVE-2026-0300, a critical unauthenticated buffer overflow in the User-ID Authentication Portal (also known as Captive Portal) affecting PAN-OS PA-Series and VM-Series firewall appliances.
The flaw, rated CVSSv4 9.3, enables an unauthenticated remote attacker to send specially crafted packets to a device with the Authentication Portal enabled, achieving arbitrary code execution with root privileges; Prisma Access, Cloud NGFW and Panorama are not affected.
Palo Alto Networks has confirmed limited exploitation in the wild targeting Authentication Portals exposed to untrusted IP addresses or the public internet, and there are no patches yet, with fixed versions expected to begin rolling out on 13 May 2026 and continuing through 28 May 2026. Shodan identifies approximately 225,000 internet-facing PAN-OS instances, highlighting a significant attack surface.
Rapid7 urges organisations running affected PAN-OS versions with the User-ID Authentication Portal enabled to apply the available workarounds immediately and prioritise patching as soon as fixed versions become available, according to the Palo Alto Networks advisory.