CVE-2026-0300
Published: 06 May 2026
Summary
CVE-2026-0300 is a critical-severity Out-of-bounds Write (CWE-787) vulnerability in Paloaltonetworks Pan-Os. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 1.7% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-7 (Boundary Protection).
Deeper analysis
A buffer overflow vulnerability exists in the User-ID Authentication Portal, also known as the Captive Portal service, within Palo Alto Networks PAN-OS software. The flaw affects PA-Series and VM-Series firewalls and is tracked as CVE-2026-0300 with a CVSS score of 9.3. Prisma Access, Cloud NGFW, and Panorama appliances are not impacted. The issue stems from improper handling of specially crafted packets and is classified under CWE-787.
An unauthenticated attacker with network access can send crafted packets to the portal service and achieve arbitrary code execution with root privileges on the affected firewall. Exploitation does not require user interaction or authentication when the portal is reachable.
Vendor guidance and related advisories, including the Palo Alto Networks security bulletin and the Siemens product certificate, emphasize that the risk is substantially reduced by following best-practice access controls that restrict the portal to trusted internal IP addresses only. The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog.
EPSS scores for this CVE rose from a low baseline to a peak of 0.1490 on 2026-05-07 before receding to the current value of 0.0492, indicating increased exploitation interest shortly after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-27879
Vulnerability details
A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted…
more
packets. The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines https://knowledgebase.paloaltonetworks.com/KCSArticleDetail by restricting access to only trusted internal IP addresses. Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.
- CWE(s)
- KEV Date Added
- 06 May 2026
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in exposed Captive Portal enables remote unauthenticated RCE as root, directly mapping to public-facing app exploitation and priv esc via exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces IP-based access restrictions on the User-ID Authentication Portal, blocking unauthenticated external attackers from reaching the vulnerable service as recommended by the vendor.
Implements boundary protections and network segmentation to prevent external reachability of the Captive Portal service on PA/VM-Series firewalls.
Requires timely application of vendor patches to eliminate the buffer overflow flaw (CWE-787) that enables unauthenticated root code execution.