CVE-2026-0300: Palo Alto PAN-OS Root RCE Actively Exploited, Patches Arrive May 13

CVE-2026-0300 exploits a buffer overflow in the User-ID Authentication Portal service in Palo Alto Networks PAN-OS. The portal processes HTTP packets to redirect unauthenticated users to a login page before granting network access. A logic flaw in how the service parses incoming network data allows an attacker to write beyond the intended memory buffer boundary, creating an out-of-bounds write condition that corrupts adjacent memory and redirects program execution to attacker-controlled code.

The exploit requires no prior authentication. The attack path is: send specially crafted packets to the Authentication Portal on the target firewall's network interface on port 6081 or 6082. The buffer overflow triggers during packet parsing before the service performs any credential check. Code execution achieves root privileges on the underlying PA-Series or VM-Series hardware because the portal service runs with elevated system permissions.

The attack is fully network-accessible from any untrusted location that can reach the portal interface. The CVSS 4.0 vector confirms this: AV:N (network-accessible), AC:L (low complexity), PR:N (no privileges required), UI:N (no user interaction). Palo Alto Networks' Threat Prevention signature Threat ID 510019, available in content update 9097-10022, blocks known exploitation attempts at the network level for PAN-OS 11.1 and later, but requires Threat Prevention to be active on the interface receiving untrusted traffic.

Two configuration conditions must both be true for a firewall to be exploitable. First, the User-ID Authentication Portal must be enabled in Device settings. Second, the Interface Management Profile attached to an internet-facing L3 interface must have Response Pages enabled. Disabling either condition removes the exploitable attack surface. This is why the configuration workarounds are immediately effective: they eliminate one or both prerequisites without requiring any software update.

CVE-2026-0300 affects PA-Series and VM-Series firewalls across four PAN-OS version branches: 10.2, 11.1, 11.2, and 12.1. Prisma Access, Cloud NGFW, and Panorama are explicitly not affected and require no action.

The patch timeline is split across two release dates. First-wave patches ship May 13, 2026, covering: 12.1.4-h5, 11.2.7-h13, 11.2.10-h6, 11.1.4-h33, 11.1.6-h32, 11.1.10-h25, 11.1.13-h5, 10.2.10-h36, and 10.2.18-h6. Organizations on these branches should schedule an immediate upgrade for May 13 as their primary remediation action.

Second-wave patches ship May 28, 2026, covering: 12.1.7, 11.2.4-h17, 11.2.12, 11.1.7-h6, 11.1.15, 10.2.7-h34, 10.2.13-h21, and 10.2.16-h7. Organizations on May 28 branches face a 20-day window with no software-level fix available. For those deployments, configuration workarounds are mandatory and must be applied before end of business today.

PAN-OS 10.1 and earlier are not listed in the advisory. Branches at or near end-of-life do not have guaranteed remediation coverage and Palo Alto Networks has not committed to backports for those versions. Organizations running end-of-life PAN-OS should treat their risk as unresolved, apply all available configuration mitigations immediately, and accelerate hardware refresh timelines.

To assess exposure across an entire estate, log into Panorama and use the device summary view to export all connected firewall PAN-OS versions. Cross-reference each version against the patch matrix in the official advisory at security.paloaltonetworks.com/CVE-2026-0300.

Palo Alto Networks confirmed limited in-the-wild exploitation of CVE-2026-0300 on May 6, 2026. Its updated advisory on May 7 states that attacks are "likely the work of state-sponsored threat actors." CISA added CVE-2026-0300 to the Known Exploited Vulnerabilities catalog following that attribution update, triggering a mandatory patching deadline for all federal civilian executive branch agencies under BOD 22-01.

The targeting pattern focuses on firewalls with Authentication Portals exposed to untrusted networks or the internet. Wiz telemetry shows 7 percent of PAN-OS environments have publicly reachable portal interfaces. Shodan identifies 67 systems currently exposing ports 6081 or 6082 to the internet. A narrow but high-value attack surface: root-level firewall compromise delivers complete network traffic visibility, the ability to intercept VPN credentials and session tokens, and a persistent foothold for lateral movement into internal network segments with no endpoint-level detection footprint.

This targeting pattern aligns with established state-sponsored tradecraft. [State-sponsored threat actors exploiting network appliances](/blog/unc5221-brickstorm-china-apt-legal-saas-espionage) have consistently targeted firewall-class devices because root access to a perimeter device delivers intelligence collection capabilities that remain invisible to EDR, SIEM endpoint alerts, and standard detection tooling. The compromise exists at the network infrastructure layer, not on monitored workstations or servers.

Palo Alto Networks has not named a specific threat cluster. Attribution to state-sponsored actors is based on the targeting scope — enterprises, critical infrastructure, and government networks — rather than the opportunistic mass scanning patterns typical of financially motivated cybercrime groups.

Assess your exposure with three checks before taking remediation action.

First, determine whether the User-ID Authentication Portal is enabled. Log into the PAN-OS management interface, navigate to Device then User Identification, and check whether the Authentication Portal or Captive Portal is active in your configuration. If it is globally disabled, your attack surface for CVE-2026-0300 does not exist at the service level. If it is enabled, proceed to the zone check.

Second, confirm the portal zone is restricted to internal trusted zones. Navigate to Network then Zones and identify every zone containing interfaces that receive internet or untrusted traffic. If any such zone has Authentication Portal access, your firewall is exposed. Check your Interface Management Profiles under Network then Network Profiles then Interface Management Profile: if Response Pages is enabled on any L3 interface attached to an internet-facing zone, both exploitation prerequisites are met.

Third, validate external reachability. Search Shodan using the query `port:6081 org:"[your ASN]"` or `port:6082 org:"[your ASN]"`. Any results confirm that internet-facing scanners can reach your Authentication Portal right now. Wiz's attack surface module and similar external exposure tools flag port-6081 reachability on PAN-OS devices as a critical finding.

For Panorama-managed environments, use the Panorama API or management console to query all connected firewalls for their User-ID Authentication Portal configuration state in a single pass. This week's [CISA Known Exploited Vulnerabilities additions](/blog/cve-2026-31431-linux-copy-fail-weekly-brief) include CVE-2026-0300 alongside multiple other actively exploited flaws, reinforcing the importance of a comprehensive KEV sweep across your full asset inventory today.

The following steps eliminate the configuration conditions required for CVE-2026-0300 exploitation. Steps 1 through 3 require no software update and take effect immediately upon commit.

A root-level compromise of a perimeter firewall is categorically more damaging than most endpoint breaches. The firewall sits at the boundary of your network, processing all inbound and outbound traffic. An attacker with root access to that device gains capabilities no endpoint implant provides.

Traffic interception is the first-order risk. A threat actor with root access can capture all traffic transiting the firewall, including VPN authentication handshakes, credential exchanges, and unencrypted internal communications. Session tokens for web applications, SAML assertions, and Kerberos tickets flowing through the firewall become accessible to the attacker without any additional exploitation step.

Lateral movement from the firewall is the second-order risk. PA-Series and VM-Series firewalls authenticate to internal management systems, Active Directory, logging infrastructure, and SIEM platforms. Root access gives attackers the firewall's credentials and trust relationships, providing an authenticated entry point into internal network zones that would otherwise require significant additional effort to reach from an internet-facing position.

Long-term persistence is the third-order risk. Attackers with root access can install persistent backdoors in the firewall's operating system, establish command-and-control channels that masquerade as legitimate management traffic, and survive firewall configuration restores that do not involve a full OS re-imaging. This persistence pattern is consistent with prior state-sponsored campaigns against network appliances documented by CISA and multiple threat intelligence vendors.

The combination of network visibility, trusted internal access, and persistence capability makes a compromised perimeter firewall a high-priority incident response event even when post-compromise lateral movement has not yet been confirmed. Organizations that have not applied the CVE-2026-0300 workarounds should treat this as a same-day action item, not a scheduled maintenance window.

CVE-2026-0300 exposes Palo Alto PAN-OS firewalls to unauthenticated root-level code execution through the Authentication Portal, with state-sponsored actors actively exploiting 67 internet-exposed instances. No patch ships until May 13. Three actions to take before end of business today: restrict the Authentication Portal to trusted zones only, disable Response Pages on every internet-facing Interface Management Profile, and enable Threat ID 510019 if running PAN-OS 11.1 or later. Schedule your May 13 upgrade now.