Palo Alto Firewalls Under Active Attack via Root-Level RCE Flaw

Attackers are actively exploiting a buffer overflow vulnerability in Palo Alto Networks firewalls that grants unauthenticated remote code execution with root privileges. The flaw, tracked as CVE-2026-0300, affects the User-ID Authentication Portal (Captive Portal) service on PA-Series and VM-Series appliances.

Palo Alto Networks disclosed the vulnerability on May 6, 2026, confirming "limited exploitation targeting portals exposed to untrusted IP addresses and/or the public internet." Patches are expected to arrive on May 13 for most affected versions, with a second wave on May 28.

What Makes This Flaw Dangerous

CVE-2026-0300 is a buffer overflow in PAN-OS's Captive Portal service. An attacker can send specially crafted packets to trigger the overflow without any authentication, then execute arbitrary code as root on the underlying system. That's complete control over the firewall.

The vulnerability is automatable, meaning attackers can scan for vulnerable devices and exploit them at scale. While current exploitation appears limited to internet-exposed portals, organizations running User-ID Authentication on internal segments shouldn't assume they're safe—lateral movement from a compromised endpoint could reach these services.

This marks another entry in a growing pattern of critical firewall vulnerabilities that bypass authentication entirely. Network appliances sit at trust boundaries, and when they fall, attackers gain a foothold that's difficult to detect and harder to remove.

Affected Versions

PA-Series and VM-Series firewalls running PAN-OS with User-ID Authentication Portal enabled are vulnerable. The affected version matrix is extensive:

Patches expected May 13:

• PAN-OS before 12.1.4-h5
• PAN-OS before 11.2.7-h13, 11.2.10-h6
• PAN-OS before 11.1.4-h33, 11.1.6-h32, 11.1.10-h25, 11.1.13-h5
• PAN-OS before 10.2.10-h36, 10.2.18-h6

Patches expected May 28:

• PAN-OS before 12.1.7
• PAN-OS before 11.2.4-h17, 11.2.12
• PAN-OS before 11.1.7-h6, 11.1.15
• PAN-OS before 10.2.7-h34, 10.2.13-h21, 10.2.16-h7

Prisma Access, Cloud NGFW, and Panorama appliances are not affected.

Immediate Mitigations

Until patches arrive, Palo Alto Networks recommends two primary mitigations:

1. Restrict portal access to trusted zones only — Remove any rules allowing untrusted networks (including the internet) to reach the Authentication Portal. This is the most effective mitigation.

2. Disable Authentication Portal if not required — If your organization doesn't actively use User-ID authentication via the Captive Portal, disable the feature entirely.

Organizations using these firewalls for VPN or remote access should audit which zones can reach the Authentication Portal and tighten access controls immediately. The one-week gap until patches arrive is a significant exposure window.

Detection and Response

No specific indicators of compromise have been published yet. Organizations should:

• Review firewall logs for unusual authentication attempts or process spawning
• Monitor for unexpected configuration changes
• Check for signs of persistence mechanisms if exploitation is suspected
• Treat any confirmed compromise as a potential full network breach given root access

The exploitation of network appliances has become a recurring theme in 2026, with attackers targeting the very devices meant to protect networks. These firewalls often have visibility into east-west traffic and can serve as launching points for deeper intrusion.

Why This Matters

Palo Alto Networks firewalls protect a significant portion of enterprise infrastructure globally. A root-level RCE with no authentication requirement is about as bad as firewall vulnerabilities get. The automation potential means this will likely see broader exploitation before patches deploy.

For organizations that can't immediately restrict portal access, the calculus becomes uncomfortable: continue operating with a known exploited vulnerability or accept reduced functionality until May 13. There's no good answer, but "do nothing" isn't an option. We've seen similar urgency around FortiClient EMS vulnerabilities where CISA mandated federal patching deadlines.

Security teams should also use this as a reminder to audit which services on network appliances are actually necessary. Features like Captive Portal that were enabled years ago may no longer serve a purpose but expand the attack surface considerably.