Listen to this Post
How CVE-2026-0300 Works
CVE-2026-0300 is a critical unauthenticated buffer overflow vulnerability residing in the User-ID™ Authentication Portal service—also known as the Captive Portal—of Palo Alto Networks PAN-OS software. This service is designed to intercept and authenticate users before granting network access, a function commonly deployed on PA-Series and VM-Series firewalls.
The vulnerability stems from improper handling of specially crafted packets sent to the Authentication Portal. Due to a lack of sufficient bounds checking, an attacker can overflow a buffer in the service’s memory space. By sending a maliciously crafted request, the attacker can overwrite adjacent memory regions, corrupting critical process data or injecting arbitrary code.
Crucially, exploitation requires no authentication, no user interaction, and no special conditions—the attacker only needs network access to the portal. If the portal is exposed to the internet or untrusted networks, the attack surface expands dramatically. Successful exploitation grants the attacker root-level code execution on the firewall, providing full administrative control over the device.
Palo Alto Networks has confirmed this vulnerability is being actively exploited in the wild. Repeated exploitation attempts are not necessary; a single crafted packet can trigger the buffer overflow and lead to immediate compromise. The vulnerability affects PAN-OS 10.2 versions earlier than 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, and 10.2.18-h6. Prisma Access, Cloud NGFW, and Panorama appliances are not impacted.
DailyCVE Form:
Platform: PAN-OS
Version: 10.2 <10.2.7-h34
Vulnerability: Buffer Overflow
Severity: Critical (9.3)
date: 2026-05-06
Prediction: Patch 2026-05-13
What Undercode Say:
Analytics:
- Exploitation Status: Actively exploited in the wild as of May 2026.
- CVSS Score: 9.3 (Critical) under CVSS 4.0.
- Attack Vector: Network-based, low complexity, no privileges required.
- Impact: Full root compromise of affected firewalls.
- Affected Branches: PAN-OS 10.2, 11.1, 11.2, and 12.1.
Bash Commands & Code:
To check if your PAN-OS version is vulnerable, use the following CLI command on the firewall:
show system info | match "sw-version"
Example output:
sw-version: 10.2.7-h33
If the version is lower than the fixed releases (e.g., 10.2.7-h34), the system is vulnerable.
To verify if the User-ID Authentication Portal is enabled (a prerequisite for exploitation), run:
show user-id-portal configuration
If the portal is active and exposed to untrusted networks, immediate action is required.
Exploit:
Exploitation involves sending a specially crafted HTTP or HTTPS request to the User-ID Authentication Portal endpoint. The packet contains a payload that exceeds the expected buffer size, triggering a stack-based or heap-based overflow. Once the buffer is overflowed, the attacker can overwrite the return address or inject shellcode, leading to remote code execution with root privileges.
Public proof-of-concept (PoC) exploits have been released, and active in-the-wild attacks have been observed. Attackers are leveraging this vulnerability to gain persistent root access, deploy backdoors, and move laterally within networks.
Protection:
- Immediate Mitigation: Restrict access to the User-ID Authentication Portal to trusted internal IP addresses only, following Palo Alto Networks best practice guidelines.
- Disable if Unused: If the Captive Portal is not operationally required, disable it entirely.
- Apply Patches: Upgrade to the following fixed versions:
- PAN-OS 10.2: 10.2.7-h34, 10.2.10-h36, 10.2.13-h21, 10.2.16-h7, or 10.2.18-h6
- PAN-OS 11.1: 11.1.4-h33, 11.1.6-h32, 11.1.7-h6, 11.1.10-h25, 11.1.13-h5, or 11.1.15
- PAN-OS 11.2: 11.2.4-h17, 11.2.7-h13, 11.2.10-h6, or 11.2.12
- PAN-OS 12.1: 12.1.4-h5 or 12.1.7
- Update Threat Prevention Signatures: Ensure security content and IPS signatures are up to date.
- Monitor for IOCs: Watch for unexpected administrative account activity, suspicious outbound connections, unknown scheduled tasks, unauthorized configuration changes, and unusual portal activity.
Impact:
Successful exploitation allows an unauthenticated remote attacker to execute arbitrary code with root privileges on the affected firewall. This leads to:
– Complete System Compromise: Full administrative control over the firewall, enabling attackers to disable security policies, exfiltrate sensitive data, and pivot to internal networks.
– Service Disruption: Firewall availability can be impacted, potentially leading to denial of service for protected resources.
– Lateral Movement: Compromised firewalls can serve as a beachhead for attackers to move laterally across the enterprise network, compromising additional systems.
– Data Breach: Sensitive corporate data traversing or managed by the firewall may be exposed or stolen.
– Reputational and Financial Damage: Organizations face significant regulatory, financial, and reputational risks due to unauthorized access and data loss.
Given the active exploitation and critical severity, organizations must prioritize patching and mitigation measures immediately.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

