External risk intelligence

Palo Alto firewalls can be taken over by attackers remotely

CVE advisoryKnown Exploit

CVE-2026-0300

A critical flaw in Palo Alto firewalls' User-ID service allows attackers to gain full control of the device remotely without authentication. This vulnerability warrants immediate attention due to its potential for widespread network compromise.

5Halo Surface Signal

Out-of-bounds Write

Paloaltonetworks Pan Os

10.2.010.2.110.2.210.2.310.2.410.2.510.2.610.2.710.2.810.2.910.2.1010.2.1110.2.1210.2.1310.2.1410.2.15

External exposure likelihood

Halo Surface Signal score for CVE-2026-0300

The vulnerability affects the User-ID Authentication Portal (Captive Portal) in PAN-OS. While best practices suggest restricting access to internal networks, these portals are frequently configured for external reachability to facilitate remote user authentication. Given the unauthenticated, remote exploitability with root privileges, this service remains a high-value, exposed target for attackers

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:C/RE:M/U:Red

Horizon Alert

Summary of the vulnerability and why it matters

An unauthenticated attacker can exploit a buffer overflow vulnerability in the User-ID Authentication Portal of Palo Alto Networks PAN-OS. This could allow them to execute arbitrary code with root privileges on affected firewalls. While the risk can be reduced by restricting access to trusted networks, it is important to be aware of this potential for unauthorized system control.

  • Attackers can gain root access.
  • This affects Palo Alto Networks firewalls.
  • The vulnerability is reachable remotely.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can exploit this by sending specially crafted packets to the User-ID Authentication Portal. This can allow them to execute arbitrary code with root privileges on the targeted Palo Alto Networks firewalls. This would grant them full control over the compromised device.

  • Network access required.
  • Targets User-ID Authentication Portal.
  • Unauthenticated remote exploit path.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability in Palo Alto Networks PAN-OS User-ID Authentication Portal is a serious concern due to its unauthenticated, remote code execution capabilities with root privileges. Attackers are highly motivated to exploit this because it directly targets network perimeter devices, offering a direct path into a network. While restricting access can mitigate risk, the potential for exploitation remains significant if the portal is exposed.

  • Exploited in the wild.
  • Listed on CISA KEV.
  • Recently added to CISA KEV.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Given the critical severity and active exploitation of this vulnerability, prioritize blocking all incoming traffic to the User-ID Authentication Portal from untrusted networks. If access to this portal is not immediately essential, disable it entirely as a containment measure. Continue to monitor network traffic for any signs of attempted exploitation or lateral movement related to this vulnerability.

  • Restrict portal access to trusted zones.
  • Disable portal if not required.
  • Monitor for exploitation indicators.

Frequently asked questions

What is Palo Alto Networks PAN-OS and its User-ID Authentication Portal?

PAN-OS is the operating system for Palo Alto Networks' PA-Series and VM-Series firewalls. The User-ID Authentication Portal, also known as the Captive Portal, is a service within PAN-OS that helps identify and authenticate users connecting to the network.

How does CVE-2026-0300 affect PAN-OS security?

CVE-2026-0300 is a buffer overflow vulnerability in the User-ID Authentication Portal. This weakness (CWE-787) allows an unauthenticated attacker to send specially crafted packets to execute arbitrary code with root privileges on affected firewalls.

What is the exploit path for CVE-2026-0300 and what is the scope?

An unauthenticated attacker can exploit this vulnerability by sending specially crafted packets to the User-ID Authentication Portal. Successful exploitation allows for arbitrary code execution with root privileges on vulnerable firewalls.

Why is CVE-2026-0300 a significant threat?

This vulnerability is critical because it allows for unauthenticated remote code execution with root privileges. The User-ID Authentication Portal is a frequent target for attackers due to its potential exposure for remote user authentication, even when best practices for restricting access are followed.

What actions should be taken to address CVE-2026-0300?

Organizations should prioritize blocking all incoming traffic to the User-ID Authentication Portal from untrusted networks. If the portal is not essential, it should be disabled. Applying vendor-provided patches is the definitive solution once available.

References

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified