Palo Alto Networks PAN-OS flaw exploited for remote code execution
Palo Alto Networks PAN-OS flaw exploited for remote code execution
Publish Date: 2026-05-06 04:59:00
Source Domain: securityaffairs.com
Palo Alto Networks PAN-OS flaw exploited for remote code execution
Pierluigi Paganini
May 06, 2026
Palo Alto Networks warns of a critical PAN-OS flaw (CVE-2026-0300) that is under active attack, allowing unauthenticated remote code execution.
Palo Alto Networks has warned that a critical PAN-OS vulnerability, tracked as CVE-2026-0300 (CVSS score of 9.3), is actively exploited in the wild. The flaw is a buffer overflow that allows unauthenticated remote code execution, especially when the User-ID portal is exposed to the internet.
“A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.” reads the advisory published by Palo Alto Networks. “The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines by restricting access to only trusted internal IP addresses.”
Below is the list of impacted products:
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS 12.1 | = 12.1.4-h5 (ETA: 05/13) = 12.1.7 (ETA: 05/28) |
|
| PAN-OS 11.2 | = 11.2.4-h17 (ETA: 05/28) = 11.2.7-h13 (ETA: 05/13) = 11.2.10-h6 (ETA: 05/13) = 11.2.12 (ETA: 05/28) |
|
| PAN-OS 11.1 | = 11.1.4-h33 (ETA: 05/13) = 11.1.6-h32 (ETA: 05/13) = 11.1.7-h6 (ETA: 05/28) = 11.1.10-h25 (ETA: 05/13) = 11.1.13-h5 (ETA: 05/13) = 11.1.15 (ETA: 05/28) |
|
| PAN-OS 10.2 | = 10.2.7-h34 (ETA: 05/28) = 10.2.10-h36 (ETA: 05/13) = 10.2.13-h21 (ETA: 05/28) = 10.2.16-h7 (ETA: 05/28) = 10.2.18-h6 (ETA: 05/13) |
|
| Prisma Access | None | All |
The cybersecurity vendor states that the issue doesn’t impact Prisma Access, Cloud NGFW and Panorama appliances.
Palo Alto Networks says the flaw is being exploited in a limited way, mainly against systems where the User-ID Authentication Portal…
