Cyber Resilience

CVE-2026-0300

CriticalCISA KEVActive ExploitationEUVD Exploited

Published: 06 May 2026

Published
06 May 2026
Modified
12 May 2026
KEV Added
06 May 2026
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Red
EPSS Score 0.3616 98.3th percentile
Risk Priority 100 floored blend · peak EPSS

Summary

CVE-2026-0300 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Paloaltonetworks Pan-Os. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).

Deeper analysis

A buffer overflow vulnerability exists in the User-ID Authentication Portal, also known as the Captive Portal service, within Palo Alto Networks PAN-OS software. The flaw affects PA-Series and VM-Series firewalls and is tracked as CVE-2026-0300 with a CVSS score of 9.3. Prisma Access, Cloud NGFW, and Panorama appliances are not impacted. The issue stems from improper handling of specially crafted packets and is classified under CWE-787.

An unauthenticated attacker with network access can send crafted packets to the portal service and achieve arbitrary code execution with root privileges on the affected firewall. Exploitation does not require user interaction or authentication when the portal is reachable.

Vendor guidance and related advisories, including the Palo Alto Networks security bulletin and the Siemens product certificate, emphasize that the risk is substantially reduced by following best-practice access controls that restrict the portal to trusted internal IP addresses only. The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog.

EPSS scores for this CVE rose from a low baseline to a peak of 0.1490 on 2026-05-07 before receding to the current value of 0.0492, indicating increased exploitation interest shortly after disclosure.

EU & UK References

Vulnerability details

A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted…

more

packets. The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines https://knowledgebase.paloaltonetworks.com/KCSArticleDetail by restricting access to only trusted internal IP addresses. Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.

CWE(s)
KEV Date Added
06 May 2026

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

Buffer overflow in exposed Captive Portal enables remote unauthenticated RCE as root, directly mapping to public-facing app exploitation and priv esc via exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-0257Same product: Paloaltonetworks Pan-Osboth on KEV
CVE-2025-0108Same product: Paloaltonetworks Pan-Osboth on KEV
CVE-2024-3400Same product: Paloaltonetworks Pan-Osboth on KEV
CVE-2025-0111Same product: Paloaltonetworks Pan-Osboth on KEV
CVE-2025-59718Same product: Siemens Ruggedcom Ape1808both on KEV
CVE-2026-24858Same product: Siemens Ruggedcom Ape1808both on KEV
CVE-2025-0282Same product class: VPN / SSL gatewayboth on KEV
CVE-2016-5195Same product: Paloaltonetworks Pan-Osboth on KEV
CVE-2026-3055Same product class: VPN / SSL gatewayboth on KEV
CVE-2025-7775Same product class: VPN / SSL gatewayboth on KEV

Affected Assets

paloaltonetworks
pan-os
10.2.0, 10.2.1, 10.2.10, 10.2.11, 10.2.12
siemens
ruggedcom ape1808 firmware
all versions

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly enforces IP-based access restrictions on the User-ID Authentication Portal, blocking unauthenticated external attackers from reaching the vulnerable service as recommended by the vendor.

prevent

Implements boundary protections and network segmentation to prevent external reachability of the Captive Portal service on PA/VM-Series firewalls.

prevent

Requires timely application of vendor patches to eliminate the buffer overflow flaw (CWE-787) that enables unauthenticated root code execution.

References