Zero-Day Alert: Unauthenticated Root RCE Discovered in Palo Alto Networks PAN-OS (CVE-2026-0300)

Palo Alto Networks has issued a critical warning regarding a formidable vulnerability within the PAN-OS operating system governing its firewalls. Adversaries are actively exploiting this flaw in ongoing incursions, which notably requires no prior authentication for successful compromise.

Designated as CVE-2026-0300, the defect originates from a buffer overflow within the User-ID Authentication Portal service, commonly referred to as the Captive Portal. By transmitting meticulously crafted network packets, a remote assailant can execute arbitrary code with root privileges on PA-Series and VM-Series firewalls.

The severity of this issue has earned a CVSS score of 9.3 out of 10 in scenarios where the authentication portal is exposed to the internet or untrusted networks. Should access be restricted to internal, trusted IP addresses, the risk assessment is marginally reduced to 8.7.

Palo Alto Networks has confirmed instances of “limited exploitation,” primarily targeting devices where the authentication portal remains accessible via the public web. The vulnerability encompasses PAN-OS versions 10.2, 11.1, 11.2, and 12.1. Specifically, versions prior to 10.2.18-h6, 11.1.15, 11.2.12, and 12.1.7, along with several interim builds, are deemed susceptible.

At the time of this disclosure, formal remediations have yet to be disseminated. Palo Alto Networks anticipates the commencement of its update rollout on May 13, 2026. This vulnerability exclusively impacts hardware configurations within the PA-Series and VM-Series that have the User-ID Authentication Portal enabled. Pending the release of official patches, the firm strongly advises administrators to restrict portal access to trusted network segments or to deactivate the service entirely if it is not mission-critical.