CISA has added CVE-2026-0300 to its Known Exploited Vulnerabilities (KEV) catalogue. The flaw affects Palo Alto Networks PAN-OS, specifically the User‑ID Authentication Portal (Captive Portal) service on PA‑Series and VM‑Series firewalls. The vulnerability, named Palo Alto Networks PAN‑OS Out‑of‑bounds Write Vulnerability, allows an unauthenticated attacker to execute arbitrary code with root privileges by sending specially crafted packets.
Technical detail: It is an out‑of‑bounds write vulnerability that can be triggered remotely without authentication, leading to remote code execution as root on the firewall. The CVSS score is 0.0, which rates the issue as low severity according to the NVD scoring system, although the impact described is high. A patch is available from the vendor.
Exploitation and risk: Because the entry appears in the KEV catalogue, CISA confirms that the vulnerability is being actively exploited in the wild. No known ransomware campaign has been linked to this CVE at this time. Federal civilian executive branch (FCEB) agencies must remediate the issue by the CISA‑set deadline of 9 May 2026.
Required action: CISA directs FCEB agencies to apply mitigations per vendor instructions, follow applicable BOD 22‑01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Until the vendor releases an official fix, the following workaround should be implemented: restrict User‑ID Authentication Portal access to only trusted zones, or disable the User‑ID Authentication Portal if it is not required. All other organisations are advised to review their exposure to PAN‑OS and implement the same mitigations as a precaution.
For full details, see the NVD entry at https://nvd.nist.gov/vuln/detail/CVE-2026-0300 and the CISA KEV catalogue.