preloader

· security vulnerability firewall infrastructure

Critical PAN-OS Vulnerability CVE-2026-0300 Actively Exploited: Root Access Without Authentication

Source: Help Net Security

Palo Alto Networks disclosed CVE-2026-0300, a critical unauthenticated buffer overflow in the User-ID Authentication Portal component of PAN-OS, affecting PA-Series and VM-Series firewall appliances. The vulnerability carries a CVSS score of 9.3. An attacker who can reach an exposed Authentication Portal can send specially crafted packets to trigger the overflow and execute arbitrary code with root privileges, gaining full control of the device without any credentials.

CISA added CVE-2026-0300 to its Known Exploited Vulnerabilities catalogue on May 6, 2026, confirming active exploitation in the wild. Wiz and Rapid7 both published emergency threat analyses within hours of the advisory going public. The attack surface is limited to deployments where the User-ID Authentication Portal is exposed to untrusted IP addresses or the public internet, but that configuration is common in organisations using captive portal authentication for network access control.

The workarounds are clear: restrict Authentication Portal access to trusted internal IP ranges only, or disable the component entirely if it is not actively in use. Palo Alto has released patched PAN-OS versions and considers patching the definitive fix. Prisma Access, Cloud NGFW, and Panorama appliances are not affected.

What this situation illustrates is a pattern that security teams encounter repeatedly with network perimeter devices: a single misconfiguration exposes a highly privileged system directly to the internet, and when a critical vulnerability is disclosed, the window between public disclosure and active exploitation is measured in hours rather than days. Organisations that lack continuous asset visibility across their firewall and VPN estate, clear patch deployment pipelines for network security appliances, and automated detection of exposed management interfaces are structurally disadvantaged when advisories like this one drop.

Perimeter security devices are attractive targets precisely because compromising them can grant an attacker persistent, privileged access to everything behind them. Treating firewall management as an IT maintenance task rather than a security-critical operation leaves organisations exposed.

If you want a review of how your network security appliances are configured, exposed, and patched, contact Excello Digital and we will identify the gaps before an attacker does.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!